Salvo Web Framework Denial of Service Vulnerability (CVE-2026-33241)
The Salvo web framework before version 0.89.3 is vulnerable to denial of service due to unbounded memory allocation when parsing form data, enabling attackers to crash services by sending large payloads.
Salvo is a Rust-based web framework. Prior to version 0.89.3, the form_data() method and Extractible macro within Salvo do not properly enforce payload size limits when parsing form data. This lack of input validation allows a remote, unauthenticated attacker to send arbitrarily large HTTP request bodies to a vulnerable server. By exploiting this vulnerability, an attacker can exhaust the server’s memory resources, leading to an Out-of-Memory (OOM) condition. This results in service crashes…
Detection coverage 2
Detect Large HTTP Request Body Size
mediumDetects abnormally large HTTP request bodies, which could indicate a denial-of-service attempt exploiting CVE-2026-33241.
Detect Repeated POST Requests from Single IP
mediumDetects a high volume of POST requests from a single IP address within a short timeframe, potentially indicating a DoS attack against the form_data() method or Extractible macro.
Detection queries are kept inside the platform. Get full rules →