{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33241", "tracking": { "current_release_date": "2026-03-29T16:14:27.030217Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33241", "initial_release_date": "2026-03-19T15:31:28.109175Z", "revision_history": [ { "date": "2026-03-19T15:31:28.109175Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-19T15:31:31.920199Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T20:42:49.963733Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T20:42:53.974761Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:53:59.287000Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| Product Identifiers created (1).| Exploits created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T20:54:02.033319Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-24T21:37:46.465149Z", "number": "7", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-24T21:37:48.742501Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-25T20:39:51.626583Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-25T20:39:53.267455Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-25T21:50:34.992842Z", "number": "11", "summary": "References created (2)." }, { "date": "2026-03-29T03:16:19.024954Z", "number": "12", "summary": "References removed (2)." }, { "date": "2026-03-29T03:16:21.851701Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-29T16:14:25.557596Z", "number": "14", "summary": "References created (2)." } ], "status": "interim", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.89.3", "product": { "name": "vers:unknown/<0.89.3", "product_id": "CSAFPID-5902806", "product_identification_helper": { "cpe": "cpe:2.3:a:salvo:salvo:*:*:*:*:*:rust:*:*" } } } ], "category": "product_name", "name": "salvo" } ], "category": "vendor", "name": "salvo" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.89.3", "product": { "name": "vers:unknown/<0.89.3", "product_id": "CSAFPID-5901701" } } ], "category": "product_name", "name": "salvo" } ], "category": "vendor", "name": "salvo-rs" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33241", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "description", "text": "## Summary\nSalvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service.\n\n## Details\n### Vulnerability Description\nThree attack vectors exist in Salvo's form handling:\n\n1. **URL-encoded form data** (`application/x-www-form-urlencoded`)\n - `Request::form_data()` calls `BodyExt::collect(body)` which reads the entire body into memory without size checking\n - Affects handlers using `req.form_data().await` directly\n\n2. **Multipart form data** (`multipart/form-data`)\n - Similar unbounded memory allocation during parsing\n - Affects handlers processing multipart uploads\n\n3. **Extractible macro**\n - `#[derive(Extractible)]` with `#[salvo(extract(default_source(from = \"body\")))]` internally calls `form_data()`\n - Vulnerabilities propagate to all extractors using body sources\n\n### Root Cause\nThe `FormData::read()` implementation prioritizes convenience over safety by reading entire request bodies before validation. Even when `Request::payload_with_max_size()` is available, it's not automatically applied in the form parsing path.\n\n### PoC\n1. run `Extract data from request` example in readme.md in docker file with limited memory say 100mb.\n2. Send `application/x-www-form-urlencoded` OR `multipart/form-data` payload to the endpoint.\n3. The server process OOM-crashes, instead of returning 413 error.\n\n\n## Impact\n### Immediate Effects\n- **Service Unavailability**: Servers crash under memory pressure\n- **Resource Exhaustion**: Single request can consume all available memory\n- **Cascading Failures**: In containerized environments, OOM can affect other services\n\n### Attack Characteristics\n- **Low Cost**: Attacker needs minimal bandwidth (header only, body can be streamed)\n- **No Authentication**: Exploitable on public endpoints\n- **Difficult to Rate-Limit**: Traditional rate limiting may not prevent single large request\n- **Amplification**: Small network cost → large memory consumption\n\n### Real-World Scenarios\n1. Public API endpoints accepting form data\n2. User registration/profile update handlers\n3. File upload endpoints using multipart forms\n4. Any endpoint using `#[derive(Extractible)]` with body sources\n\n## Suggestion: Make Multipart File Upload Handling Explicit Opt-In\n\n### Problem Statement\n\nCurrently, Salvo's multipart form data parsing automatically handles file uploads without explicit developer intent. This creates several security and usability concerns:\n\n1. **Unintended File Storage**: Developers may unknowingly accept file uploads when they only intended to handle text fields\n2. **Disk Space Exhaustion**: Automatic file buffering to disk can fill storage without proper limits\n3. **Resource Cleanup**: Temporary files may not be properly cleaned up if handlers don't expect them\n4. **Attack Surface**: Endpoints inadvertently become file upload targets", "title": "github - https://api.github.com/advisories/GHSA-pp9r-xg4c-8j4x" }, { "category": "description", "text": "Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33241.json" }, { "category": "description", "text": "Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33241" }, { "category": "other", "text": "0.00016", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "title": "CVSSV4" }, { "category": "other", "text": "8.7", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.7", "title": "NCSC Score" }, { "category": "other", "text": "Exploit code publicly available, There is exploit data available from source Nvd, The value of the most recent EPSS score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5901701", "CSAFPID-5902806" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-pp9r-xg4c-8j4x" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33241.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33241" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-pp9r-xg4c-8j4x" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33241" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5901701", "CSAFPID-5902806" ] } ], "title": "CVE-2026-33241" } ] }