CVE-2026-22257 Overview
CVE-2026-22257 is a Cross-Site Scripting (XSS) vulnerability in Salvo, a Rust web backend framework. Prior to version 0.88.1, the list_html function generates a file view of a folder without sanitizing the file or folder names. This missing input sanitization can lead to XSS attacks in cases where a website allows public access to files using this feature and permits arbitrary file uploads.
Critical Impact
Attackers can inject malicious scripts through crafted file or folder names, potentially compromising user sessions, stealing credentials, or performing actions on behalf of authenticated users in web applications using Salvo's static file serving feature.
Affected Products
- Salvo web framework versions prior to 0.88.1
- Applications using Salvo's serve-static crate with directory listing enabled
- Web applications allowing public file uploads with directory browsing
Discovery Timeline
- 2026-01-08 - CVE-2026-22257 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-22257
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-79) in Salvo's static file serving functionality. The list_html function, located in the serve-static crate's dir.rs module, renders directory listings as HTML without properly encoding or sanitizing file and folder names before including them in the output.
When a malicious actor uploads a file with a specially crafted name containing JavaScript code or HTML markup, the unsanitized filename is rendered directly in the directory listing page. Any user browsing the directory through the web interface would have the malicious script executed in their browser context.
The exploitation scenario requires two conditions: the application must use Salvo's directory listing feature to expose file directories to users, and there must be a mechanism allowing attackers to upload or create files with arbitrary names. This attack vector is particularly concerning for file sharing platforms, content management systems, or any application that allows user-generated content in public directories.
Root Cause
The root cause is the absence of HTML entity encoding when rendering file and folder names in the list_html function. The function directly interpolates filename strings into the HTML output without escaping special characters such as <, >, ", and &. This allows attackers to break out of the intended HTML context and inject arbitrary script content.
Attack Vector
The attack is network-based and requires user interaction. An attacker would first upload a file with a malicious name containing XSS payload (e.g., <script>alert(document.cookie)</script>.txt). When a victim browses the directory containing this file through Salvo's directory listing feature, their browser renders the unsanitized filename, executing the embedded JavaScript.
The vulnerability enables various XSS attack scenarios including session hijacking, credential theft, phishing within the application context, and drive-by malware downloads. Since the script executes in the context of the vulnerable application's origin, it has full access to cookies, local storage, and can make authenticated requests on behalf of the victim.
The vulnerability exists in the directory listing HTML generation code. For technical details and the specific code location, see the GitHub source code reference.
Detection Methods for CVE-2026-22257
Indicators of Compromise
- Presence of files or folders with names containing HTML tags or JavaScript code (e.g., <script>, <img onerror=, javascript:)
- Unusual file names with URL-encoded characters that decode to script content
- Web server logs showing requests to directory listings followed by suspicious client-side behavior
- User reports of unexpected browser behavior when browsing file directories
Detection Strategies
- Implement file upload monitoring to detect and alert on filenames containing HTML or script content
- Deploy web application firewall (WAF) rules to detect XSS patterns in directory listing responses
- Use Content Security Policy (CSP) headers to mitigate script execution from inline sources
- Monitor application logs for directory listing requests with unusual patterns
- Conduct regular security scans of uploaded file directories for suspicious filenames
Monitoring Recommendations
- Enable detailed logging for the static file serving module to track directory listing access
- Implement alerting on file upload events where filenames contain potentially malicious patterns
- Monitor browser-side telemetry for script errors or unexpected JavaScript execution in directory contexts
- Review CSP violation reports for attempts to execute inline scripts in directory listing pages
How to Mitigate CVE-2026-22257
Immediate Actions Required
- Upgrade Salvo to version 0.88.1 or later immediately
- Audit existing file directories for files with potentially malicious names and rename or remove them
- Implement Content Security Policy headers to restrict inline script execution
- Consider temporarily disabling directory listing functionality until the patch is applied
- Review and sanitize any existing user-uploaded filenames in public directories
Patch Information
The vulnerability has been patched in Salvo version 0.88.1. The fix implements proper HTML entity encoding for file and folder names before rendering them in directory listings. Upgrade to version 0.88.1 or later to remediate this vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-54m3-5fxr-2f3j.
Workarounds
- Disable public directory listing functionality by removing or reconfiguring the serve-static handler
- Implement server-side filename validation to reject uploads containing HTML special characters
- Add a reverse proxy or WAF layer that sanitizes directory listing responses
- Use Content Security Policy headers with strict script-src directives to prevent inline script execution
- Implement custom directory listing logic that properly escapes all user-controlled content
# Example: Add CSP header in reverse proxy (nginx)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
