Salvo Web Framework Denial-of-Service Vulnerability via Unbounded Form Data Parsing

A denial-of-service vulnerability has been identified in the Salvo web framework for Rust, affecting versions prior to 0.89.3. The issue arises because the framework's form data parsing methods, including 'form_data()' and the 'Extractible' macro, do not impose payload size limits before reading request bodies into memory. This oversight allows attackers to send excessively large payloads, causing out-of-memory conditions that lead to service crashes. The vulnerability is present in handlers that process URL-encoded or multipart form data, as well as those using the 'Extractible' macro with body sources.

Impact

Exploitation of this vulnerability causes servers to crash under memory pressure, with a single request capable of consuming all available memory. In containerized environments, such an out-of-memory condition can disrupt other running services.

Reproduction

To reproduce this vulnerability, deploy a Salvo application version prior to 0.89.3. Run the 'Extract data from request' example with a memory limit of 100MB. Then, send a payload using either 'application/x-www-form-urlencoded' or 'multipart/form-data' to an endpoint that processes form data. The server will crash due to out-of-memory conditions, instead of returning a '413 Payload Too Large' error.

Remediation

Users can upgrade to Salvo version 0.89.3 or later, where this vulnerability has been patched.