How severe is GHSA-pp9r-xg4c-8j4x?

No CVSS score has been assigned to GHSA-pp9r-xg4c-8j4x yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-pp9r-xg4c-8j4x?

GHSA-pp9r-xg4c-8j4x affects the following packages: salvo (crates.io). Ecosystems affected: crates.io.

How do I fix GHSA-pp9r-xg4c-8j4x?

Update salvo to 0.89.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-pp9r-xg4c-8j4x is resolved across your whole dependency graph.

How do I detect GHSA-pp9r-xg4c-8j4x in my crates.io dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for salvo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-pp9r-xg4c-8j4x if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-pp9r-xg4c-8j4x?

O3 pinpoints whether GHSA-pp9r-xg4c-8j4x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-pp9r-xg4c-8j4x actively exploited in the wild?

No public exploit code has been indexed for GHSA-pp9r-xg4c-8j4x yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-pp9r-xg4c-8j4x?

GHSA-pp9r-xg4c-8j4x has an EPSS (Exploit Prediction Scoring System) score of 0.4%, placing it in the 35th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-pp9r-xg4c-8j4x?

GHSA-pp9r-xg4c-8j4x is classified as CWE-770 (CWE-770). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation.

When was GHSA-pp9r-xg4c-8j4x published, and has it been updated?

GHSA-pp9r-xg4c-8j4x was published on March 19, 2026 and was last updated on March 25, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🦀 crates.io

GHSA-pp9r-xg4c-8j4x

Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing

Also known asCVE-2026-33241

Published

Mar 19, 2026

Updated

Mar 25, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.4%probability of exploitation in next 30 days

Lower Risk35th percentile+0.40%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🦀salvo

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

Summary

Salvo's form data parsing implementations (form_data() method and Extractible macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service.

Details

Vulnerability Description

Three attack vectors exist in Salvo's form handling:

URL-encoded form data (application/x-www-form-urlencoded)
- Request::form_data() calls BodyExt::collect(body) which reads the entire body into memory without size checking
- Affects handlers using req.form_data().await directly
Multipart form data (multipart/form-data)
- Similar unbounded memory allocation during parsing
- Affects handlers processing multipart uploads
Extractible macro
- #[derive(Extractible)] with #[salvo(extract(default_source(from = "body")))] internally calls form_data()
- Vulnerabilities propagate to all extractors using body sources

Root Cause

The FormData::read() implementation prioritizes convenience over safety by reading entire request bodies before validation. Even when Request::payload_with_max_size() is available, it's not automatically applied in the form parsing path.

PoC

run Extract data from request example in readme.md in docker file with limited memory say 100mb.
Send application/x-www-form-urlencoded OR multipart/form-data payload to the endpoint.
The server process OOM-crashes, instead of returning 413 error.

Impact

Immediate Effects

Service Unavailability: Servers crash under memory pressure
Resource Exhaustion: Single request can consume all available memory
Cascading Failures: In containerized environments, OOM can affect other services

Attack Characteristics

Low Cost: Attacker needs minimal bandwidth (header only, body can be streamed)
No Authentication: Exploitable on public endpoints
Difficult to Rate-Limit: Traditional rate limiting may not prevent single large request
Amplification: Small network cost → large memory consumption

Real-World Scenarios

Public API endpoints accepting form data
User registration/profile update handlers
File upload endpoints using multipart forms
Any endpoint using #[derive(Extractible)] with body sources

Suggestion: Make Multipart File Upload Handling Explicit Opt-In

Problem Statement

Currently, Salvo's multipart form data parsing automatically handles file uploads without explicit developer intent. This creates several security and usability concerns:

Unintended File Storage: Developers may unknowingly accept file uploads when they only intended to handle text fields
Disk Space Exhaustion: Automatic file buffering to disk can fill storage without proper limits
Resource Cleanup: Temporary files may not be properly cleaned up if handlers don't expect them
Attack Surface: Endpoints inadvertently become file upload targets

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🦀crates.io	`salvo`	all versions	0.89.3

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for salvo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update salvo to 0.89.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-pp9r-xg4c-8j4x is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-pp9r-xg4c-8j4x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-pp9r-xg4c-8j4x. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. ## Details ### Vulnerability Description Three attack vectors exist in Salvo's form handling: 1. **URL-encoded form data** (`application/x-www-form-urlencoded`) - `Request::form_data()` calls `BodyExt::collect(body)` which reads the entire body into memory without siz

O3 Security · Impact-Aware SCA

Is GHSA-pp9r-xg4c-8j4x in your dependencies?

O3 detects GHSA-pp9r-xg4c-8j4x across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works