CVE-2026-33241
Published: 24 March 2026
Summary
CVE-2026-33241 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Salvo Salvo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely patching of Salvo to version 0.89.3 or later, which enforces payload size limits in form data parsing.
Provides comprehensive denial-of-service protections that counter OOM conditions from attackers sending extremely large form data payloads.
Limits resource availability, such as memory allocation, to prevent service crashes due to unbounded request body consumption in Salvo.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in web framework form parsing allows unauthenticated remote attackers to trigger OOM crashes via oversized payloads, directly enabling T1499.004 (Application or System Exploitation) for Endpoint Denial of Service.
NVD Description
Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions…
more
by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.
Deeper analysisAI
CVE-2026-33241 affects Salvo, a Rust web framework, in versions prior to 0.89.3. The vulnerability resides in the form data parsing implementations, specifically the `form_data()` method and `Extractible` macro, which fail to enforce payload size limits before loading entire request bodies into memory. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), enables out-of-memory (OOM) conditions with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote attackers require only network access to exploit this issue, with no authentication, privileges, or user interaction needed. By transmitting extremely large form data payloads, adversaries can trigger excessive memory consumption, causing service crashes and denial-of-service disruptions.
The Salvo project addressed this in version 0.89.3 with a patch enforcing payload size limits. Security practitioners should upgrade to this version or later, as detailed in the GitHub security advisory (GHSA-pp9r-xg4c-8j4x) and release notes (v0.89.3).
Details
- CWE(s)