Resource exhaustion in Salvo-rs Salvo

CVE-2026-33241

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows atta…

EPSS: 0.000 (10.3th percentile) — read the EPSS interpretation.

Affected products

Salvo-rs Salvo — versions < 0.89.3

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x (x_refsource_CONFIRM)
https://github.com/salvo-rs/salvo/releases/tag/v0.89.3 (x_refsource_MISC)