Salvo Path Traversal and Access Control Bypass Vulnerability in salvo-proxy Component

A path traversal and access control bypass vulnerability has been identified in the salvo-proxy component of the Salvo web framework for Rust, affecting versions 0.39.0 through 0.89.2. This vulnerability allows unauthenticated external attackers to bypass proxy routing constraints and access unintended backend paths, such as protected endpoints or administrative dashboards. The issue arises from the encode_url_path function, which fails to properly normalize '../' sequences, forwarding them verbatim to the upstream server without re-encoding the '.' character. As a result, requests can be manipulated to access restricted areas of the application.

Impact

Exploitation of this vulnerability could lead to unauthorized access to protected backend paths, including administrative dashboards and sensitive endpoints.

Reproduction

To reproduce this vulnerability, set up an Nginx backend server. Then, start the Salvo proxy gateway, routing to the '/api/' endpoint. Finally, send a request through the proxy that includes a URL-encoded path traversal sequence, such as '%2e%2e%2fadmin/index.html'. This request will bypass the API gateway's security checks and access the administrative page.

Remediation

Users can upgrade to Salvo version 0.89.3, which includes a patch for this vulnerability. Instructions for downloading this version are available on the Salvo GitHub releases page.