Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33242

CVE-2026-33242: Salvo Path Traversal Vulnerability

CVE-2026-33242 is a path traversal vulnerability in Salvo web framework that allows attackers to bypass proxy routing and access protected endpoints. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-33242 Overview

CVE-2026-33242 is a Path Traversal and Access Control Bypass vulnerability affecting the salvo-proxy component of the Salvo Rust web framework. This vulnerability allows unauthenticated remote attackers to bypass proxy routing constraints and access unintended backend paths, including protected endpoints and administrative dashboards. The flaw originates from the encode_url_path function, which fails to properly normalize ../ sequences, inadvertently forwarding them verbatim to upstream servers by not re-encoding the . character.

Critical Impact

Unauthenticated attackers can bypass access controls to reach protected backend resources, potentially exposing sensitive administrative interfaces and confidential data.

Affected Products

  • Salvo versions 0.39.0 through 0.89.2
  • Applications using the salvo-proxy component for reverse proxy functionality
  • Rust web applications relying on Salvo's URL encoding for path handling

Discovery Timeline

  • 2026-03-24 - CVE-2026-33242 published to NVD
  • 2026-03-24 - Last updated in NVD database

Technical Details for CVE-2026-33242

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Path Traversal), affecting the salvo-proxy component's URL path encoding mechanism. The core issue lies in how the encode_url_path function processes path segments containing directory traversal sequences.

When a request containing ../ sequences is received by a Salvo-based proxy, the function fails to normalize these path components before forwarding the request upstream. The function does not re-encode the . character, which allows the literal ../ sequence to pass through to the backend server unchanged. This enables attackers to escape the intended directory scope and access resources outside the proxied path.

The vulnerability is particularly dangerous because it requires no authentication to exploit. An external attacker can craft HTTP requests with path traversal payloads that bypass the proxy's routing configuration, potentially reaching administrative endpoints, configuration files, or other protected resources on backend servers.

Root Cause

The root cause of this vulnerability is improper input validation and URL encoding within the encode_url_path function in the salvo-proxy component. Specifically:

  1. The function processes URL paths without first normalizing directory traversal sequences (../ and ./)
  2. The . character is not re-encoded during path processing, allowing traversal sequences to remain intact
  3. No validation occurs to detect and reject path traversal attempts before proxying requests upstream

This implementation oversight allows malicious path components to bypass the proxy layer's intended access controls and reach backend resources directly.

Attack Vector

The attack vector for CVE-2026-33242 is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to a Salvo-based proxy server containing ../ sequences in the URL path.

For example, if a proxy is configured to forward requests from /api/ to an upstream server, an attacker could send a request like /api/../admin/ to escape the intended path scope and access the /admin/ endpoint on the backend server. The proxy fails to sanitize these sequences, forwarding them verbatim and allowing unauthorized access to protected resources.

The exploitation mechanism involves sending HTTP requests with path traversal payloads such as ../ sequences that bypass the proxy's path-based routing rules. When the encode_url_path function processes these requests, it fails to normalize the traversal sequences, allowing them to pass through to the upstream server unchanged. For detailed technical information about the vulnerability and its exploitation, see the GitHub Security Advisory GHSA-f842-phm9-p4v4.

Detection Methods for CVE-2026-33242

Indicators of Compromise

  • HTTP access logs containing URL paths with ../ or encoded traversal sequences (%2e%2e%2f)
  • Requests targeting administrative endpoints originating from the proxy layer
  • Unusual access patterns to backend resources that should not be reachable through the proxy
  • Error logs indicating path resolution issues on upstream servers

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in incoming requests
  • Configure intrusion detection systems to alert on ../ sequences in HTTP request paths
  • Review proxy access logs for requests containing directory traversal indicators
  • Deploy network monitoring to identify anomalous traffic patterns targeting backend administrative interfaces

Monitoring Recommendations

  • Enable detailed request logging on Salvo proxy instances to capture full URL paths
  • Monitor backend server access logs for requests that bypass expected proxy routing
  • Set up alerts for access to sensitive endpoints that should only be reachable through authenticated channels
  • Implement log correlation between proxy and upstream servers to detect traversal bypass attempts

How to Mitigate CVE-2026-33242

Immediate Actions Required

  • Upgrade Salvo to version 0.89.3 or later immediately
  • Audit access logs for evidence of exploitation attempts using path traversal patterns
  • Review backend server configurations to ensure sensitive endpoints have additional authentication layers
  • Deploy temporary WAF rules to block requests containing ../ sequences until patching is complete

Patch Information

Salvo version 0.89.3 contains the fix for this vulnerability. The patch corrects the encode_url_path function to properly normalize and reject path traversal sequences before forwarding requests upstream.

Users should upgrade using Cargo by updating the salvo dependency in their Cargo.toml file to version 0.89.3 or later. The fix can be reviewed in the GitHub Commit and the patched release is available at GitHub Release v0.89.3.

Workarounds

  • Deploy a reverse proxy or WAF in front of Salvo instances to filter path traversal attempts
  • Implement middleware to validate and normalize request paths before they reach the proxy component
  • Configure upstream servers to reject requests containing ../ sequences
  • Restrict network access to backend administrative endpoints using firewall rules
bash
# Example: Update Salvo dependency in Cargo.toml
# Change the version requirement to include the patched version
[dependencies]
salvo = ">=0.89.3"

# Then run cargo update to fetch the patched version
cargo update -p salvo

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne