CVE-2026-33241: Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing

March 19, 2026

Salvo’s form data parsing implementations (form_data() method and Extractible macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service.

References

github.com/advisories/GHSA-pp9r-xg4c-8j4x
github.com/salvo-rs/salvo
github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x
nvd.nist.gov/vuln/detail/CVE-2026-33241

Code Behaviors & Features

Detect and mitigate CVE-2026-33241 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →