Docker
CVE-2026-33241
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Salvo's form data parsing implementations (form_data() method and Extractible macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service.
Details
Vulnerability Description
Three attack vectors exist in Salvo's form handling:
- URL-encoded form data (
application/x-www-form-urlencoded)
Request::form_data()callsBodyExt::collect(body)which reads the entire body into memory without size checking- Affects handlers using
req.form_data().awaitdirectly
- Multipart form data (
multipart/form-data)
- Similar unbounded memory allocation during parsing
- Affects handlers processing multipart uploads
- Extractible macro
#[derive(Extractible)]with#[salvo(extract(default_source(from = "body")))]internally callsform_data()- Vulnerabilities propagate to all extractors using body sources
Root Cause
The FormData::read() implementation prioritizes convenience over safety by reading entire request bodies before validation. Even when Request::payload_with_max_size() is available, it's not automatically applied in the form parsing path.
PoC
- run
Extract data from requestexample in readme.md in docker file with limited memory say 100mb. - Send
application/x-www-form-urlencodedORmultipart/form-datapayload to the endpoint. - The server process OOM-crashes, instead of returning 413 error.
Impact
Immediate Effects
- Service Unavailability: Servers crash under memory pressure
- Resource Exhaustion: Single request can consume all available memory
- Cascading Failures: In containerized environments, OOM can affect other services
Attack Characteristics
- Low Cost: Attacker needs minimal bandwidth (header only, body can be streamed)
- No Authentication: Exploitable on public endpoints
- Difficult to Rate-Limit: Traditional rate limiting may not prevent single large request
- Amplification: Small network cost → large memory consumption
Real-World Scenarios
- Public API endpoints accepting form data
- User registration/profile update handlers
- File upload endpoints using multipart forms
- Any endpoint using
#[derive(Extractible)]with body sources
Suggestion: Make Multipart File Upload Handling Explicit Opt-In
Problem Statement
Currently, Salvo's multipart form data parsing automatically handles file uploads without explicit developer intent. This creates several security and usability concerns:
- Unintended File Storage: Developers may unknowingly accept file uploads when they only intended to handle text fields
- Disk Space Exhaustion: Automatic file buffering to disk can fill storage without proper limits
- Resource Cleanup: Temporary files may not be properly cleaned up if handlers don't expect them
- Attack Surface: Endpoints inadvertently become file upload targets
AnalysisAI
Salvo web framework's form data parsing functions fail to enforce payload size limits before loading request bodies into memory, allowing attackers to trigger Out-of-Memory crashes by sending extremely large form payloads. This affects the Rust package salvo (pkg:rust/salvo) through multiple attack vectors including URL-encoded and multipart form data handling. A proof-of-concept demonstrates successful denial-of-service against containerized deployments with limited memory, and the vulnerability is publicly documented in GitHub security advisories GHSA-pp9r-xg4c-8j4x.
Technical ContextAI
This vulnerability affects the Salvo web framework for Rust (pkg:rust/salvo), specifically in the form data parsing implementation. The issue stems from CWE-770 (Allocation of Resources Without Limits or Throttling) where the Request::form_data() method and Extractible macro call BodyExt::collect() to read entire request bodies into memory without size validation. Three attack vectors exist: application/x-www-form-urlencoded parsing, multipart/form-data handling, and the Extractible derive macro with body sources. The root cause is that convenience was prioritized over safety, with the framework not automatically applying available Request::payload_with_max_size() protections in the form parsing code path. This creates unbounded memory allocation that can exhaust system resources.
RemediationAI
Consult the official Salvo security advisory at https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x for patched versions and upgrade instructions. Until patching is completed, implement immediate mitigations by configuring reverse proxy or web application firewall rules to enforce request body size limits (e.g., client_max_body_size in Nginx or LimitRequestBody in Apache) appropriate to your application's legitimate use cases. For containerized deployments, implement memory limits with proper OOM handling and monitoring to contain blast radius. Review all endpoints using form_data(), multipart parsing, or Extractible macros with body sources to manually validate payload sizes using Request::payload_with_max_size() where the framework's automatic protections are bypassed. Consider implementing application-level request size validation before form parsing operations.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-pp9r-xg4c-8j4x