Description

Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths (e.g., protected endpoints or administrative dashboards). This issue stems from the encode_url_path function, which fails to normalize "../" sequences and inadvertently forwards them verbatim to the upstream server by not re-encoding the "." character. Version 0.89.3 contains a patch.

INFO

Published Date :

2026-03-23T23:40:39.886Z

Last Modified :

2026-03-24T15:12:45.439Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33242 vulnerability.

Vendors Products
Salvo
  • Salvo
Salvo-rs
  • Salvo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33242.

URL Resource
https://github.com/salvo-rs/salvo/commit/7bac30e6960355c58e358e402072d4a3e5c4e1bb#diff-e319bf7afcb577f7e9f4fb767005072f6335d23f306dd52e8c94f3d222610d02R20 cve-icon cve-icon
https://github.com/salvo-rs/salvo/releases/tag/v0.89.3 cve-icon cve-icon
https://github.com/salvo-rs/salvo/security/advisories/GHSA-f842-phm9-p4v4 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact