{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33241", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.508Z", "datePublished": "2026-03-23T23:41:50.533Z", "dateUpdated": "2026-03-25T19:22:48.083Z"}, "containers": {"cna": {"title": "Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x"}, {"name": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3"}], "affected": [{"vendor": "salvo-rs", "product": "salvo", "versions": [{"version": "< 0.89.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:41:50.533Z"}, "descriptions": [{"lang": "en", "value": "Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch."}], "source": {"advisory": "GHSA-pp9r-xg4c-8j4x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:22:09.920768Z", "id": "CVE-2026-33241", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:22:48.083Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33241", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:22:09.920768Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:22:16.444Z"}}], "cna": {"title": "Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing", "source": {"advisory": "GHSA-pp9r-xg4c-8j4x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "salvo-rs", "product": "salvo", "versions": [{"status": "affected", "version": "< 0.89.3"}]}], "references": [{"url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x", "name": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3", "name": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:41:50.533Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33241", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:22:48.083Z", "dateReserved": "2026-03-18T02:42:27.508Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T23:41:50.533Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:salvo:salvo:*:*:*:*:*:rust:*:*", "matchCriteriaId": "7BCE02A7-D247-431F-B272-C471BCA96601", "versionEndExcluding": "0.89.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch."}, {"lang": "es", "value": "Salvo es un framework web de Rust. Antes de la versi\u00f3n 0.89.3, las implementaciones de an\u00e1lisis de datos de formulario de Salvo ('form_data()' m\u00e9todo y 'Extractible' macro) no aplican l\u00edmites de tama\u00f1o de carga \u00fatil antes de leer los cuerpos de las solicitudes en la memoria. Esto permite a los atacantes causar condiciones de falta de memoria (OOM) enviando cargas \u00fatiles extremadamente grandes, lo que lleva a ca\u00eddas del servicio y denegaci\u00f3n de servicio. La versi\u00f3n 0.89.3 contiene un parche."}], "id": "CVE-2026-33241", "lastModified": "2026-03-24T19:37:58.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T00:16:29.517", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.89.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "salvo", "source": "cna", "vendor": "salvo-rs"}, "product": "salvo", "vendor": "salvo-rs"}], "analysis": {"en": {"generated_at": "2026-03-24T20:31:49.067101+00:00", "value": {"mitigation_remediation": ["Upgrade Salvo to version 0.89.3 or later", "Verify that no custom form parsing components re\u2011introduce unbounded allocation", "Monitor system memory usage and application health metrics to detect potential OOM incidents"], "summary": {"action": "Apply Patch", "impact": "Denial of Service via Out-of-Memory Condition"}, "threat_synthesis": {"affected_systems": "Salvo framework from the Rust ecosystem, specifically versions earlier than 0.89.3. The affected component is the form_data() method and Extractible macro used by developers to parse multipart or URL\u2011encoded form bodies. Updating to Salvo 0.89.3 or newer removes the check and prevents the over\u2011allocation.", "description_and_impact": "The vulnerability originates in Salvo's form data parsing logic, where the size of incoming payloads is not limited before the entire body is read into memory. This omission allows an adversary to send a deliberately massive form payload so that the process exhausts available memory, resulting in a crash or forced restart of the application server. The weakness is a classic unbounded allocation flaw (CWE\u2011770). Because the failure manifests as service unavailability rather than leakage or control compromise, the primary impact is denial of service.", "risk_and_exploitability": "The severity score of 8.7 (CVSS v3.1) indicates a high risk. The EPSS probability is below 1\u202f%, meaning exploitation is unlikely in the wild, but the omission can be leveraged by an attacker with network access to the web service, simply by crafting a very large HTTP request. Since the vulnerability is not listed in CISA\u2019s KEV catalogue, there is no evidence of active exploitation. The entry point is a publicly exposed HTTP endpoint that accepts form data, so the attack vector is network\u2011based. Proper mitigation is by installing the patched version."}}}}, "created": "2026-03-24T10:29:46.958515+00:00", "updated": "2026-03-25T21:27:53.890105+00:00", "vendors": ["salvo-rs", "salvo-rs$PRODUCT$salvo"]}