Skip to main content

Docker CVE-2026-33241

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-19 https://github.com/salvo-rs/salvo GHSA-pp9r-xg4c-8j4x
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 12:45 vuln.today
CVE Published
Mar 19, 2026 - 12:44 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary

Salvo's form data parsing implementations (form_data() method and Extractible macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service.

Details

Vulnerability Description

Three attack vectors exist in Salvo's form handling:

  1. URL-encoded form data (application/x-www-form-urlencoded)
  • Request::form_data() calls BodyExt::collect(body) which reads the entire body into memory without size checking
  • Affects handlers using req.form_data().await directly
  1. Multipart form data (multipart/form-data)
  • Similar unbounded memory allocation during parsing
  • Affects handlers processing multipart uploads
  1. Extractible macro
  • #[derive(Extractible)] with #[salvo(extract(default_source(from = "body")))] internally calls form_data()
  • Vulnerabilities propagate to all extractors using body sources

Root Cause

The FormData::read() implementation prioritizes convenience over safety by reading entire request bodies before validation. Even when Request::payload_with_max_size() is available, it's not automatically applied in the form parsing path.

PoC

  1. run Extract data from request example in readme.md in docker file with limited memory say 100mb.
  2. Send application/x-www-form-urlencoded OR multipart/form-data payload to the endpoint.
  3. The server process OOM-crashes, instead of returning 413 error.

Impact

Immediate Effects

  • Service Unavailability: Servers crash under memory pressure
  • Resource Exhaustion: Single request can consume all available memory
  • Cascading Failures: In containerized environments, OOM can affect other services

Attack Characteristics

  • Low Cost: Attacker needs minimal bandwidth (header only, body can be streamed)
  • No Authentication: Exploitable on public endpoints
  • Difficult to Rate-Limit: Traditional rate limiting may not prevent single large request
  • Amplification: Small network cost → large memory consumption

Real-World Scenarios

  1. Public API endpoints accepting form data
  2. User registration/profile update handlers
  3. File upload endpoints using multipart forms
  4. Any endpoint using #[derive(Extractible)] with body sources

Suggestion: Make Multipart File Upload Handling Explicit Opt-In

Problem Statement

Currently, Salvo's multipart form data parsing automatically handles file uploads without explicit developer intent. This creates several security and usability concerns:

  1. Unintended File Storage: Developers may unknowingly accept file uploads when they only intended to handle text fields
  2. Disk Space Exhaustion: Automatic file buffering to disk can fill storage without proper limits
  3. Resource Cleanup: Temporary files may not be properly cleaned up if handlers don't expect them
  4. Attack Surface: Endpoints inadvertently become file upload targets

AnalysisAI

Salvo web framework's form data parsing functions fail to enforce payload size limits before loading request bodies into memory, allowing attackers to trigger Out-of-Memory crashes by sending extremely large form payloads. This affects the Rust package salvo (pkg:rust/salvo) through multiple attack vectors including URL-encoded and multipart form data handling. A proof-of-concept demonstrates successful denial-of-service against containerized deployments with limited memory, and the vulnerability is publicly documented in GitHub security advisories GHSA-pp9r-xg4c-8j4x.

Technical ContextAI

This vulnerability affects the Salvo web framework for Rust (pkg:rust/salvo), specifically in the form data parsing implementation. The issue stems from CWE-770 (Allocation of Resources Without Limits or Throttling) where the Request::form_data() method and Extractible macro call BodyExt::collect() to read entire request bodies into memory without size validation. Three attack vectors exist: application/x-www-form-urlencoded parsing, multipart/form-data handling, and the Extractible derive macro with body sources. The root cause is that convenience was prioritized over safety, with the framework not automatically applying available Request::payload_with_max_size() protections in the form parsing code path. This creates unbounded memory allocation that can exhaust system resources.

RemediationAI

Consult the official Salvo security advisory at https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x for patched versions and upgrade instructions. Until patching is completed, implement immediate mitigations by configuring reverse proxy or web application firewall rules to enforce request body size limits (e.g., client_max_body_size in Nginx or LimitRequestBody in Apache) appropriate to your application's legitimate use cases. For containerized deployments, implement memory limits with proper OOM handling and monitoring to contain blast radius. Review all endpoints using form_data(), multipart parsing, or Extractible macros with body sources to manually validate payload sizes using Request::payload_with_max_size() where the framework's automatic protections are bypassed. Consider implementing application-level request size validation before form parsing operations.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-33241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy