Skip to content

Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass

High severity GitHub Reviewed Published Mar 18, 2026 in salvo-rs/salvo

Package

cargo salvo (Rust)

Affected versions

>= 0.39.0, <= 0.89.2

Patched versions

0.89.3

Description

Details

A Path Traversal and Access Control Bypass vulnerability was discovered in the salvo-proxy component of the Salvo Rust framework (v0.89.2). The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths (e.g., protected endpoints or administrative dashboards). This issue stems from the encode_url_path function, which fails to normalize "../" sequences and inadvertently forwards them verbatim to the upstream server by not re-encoding the "." character.

Technical Details

If someone tries to attack by sending a special code like %2e%2e, Salvo changes it back to ../ when it first checks the path. The proxy then gets this plain ../ value. When making the new URL to send forward, the encode_url_path function tries to change the path again, but its normal settings do not include the . (dot) character. Because of this, the proxy puts ../ straight into the new URL and sends a request like GET /api/../admin HTTP/1.1 to the backend server.

// crates/proxy/src/lib.rs (Lines 100-105)

pub(crate) fn encode_url_path(path: &str) -> String {
    path.split('/')
        .map(|s| utf8_percent_encode(s, PATH_ENCODE_SET).to_string())
        .collect::<Vec<_>>()
        .join("/")
}

PoC

1 - Setup an Nginx Backend Server for example
2 - Start Salvo Proxy Gateway in other port routing to /api/
3 - Run the curl to test the bypass:

curl -s http://127.0.0.1:8080/gateway/api/%2e%2e%2fadmin/index.html

Impact

If attackers take advantage of this problem, they can get past API Gateway security checks and route limits without logging in. This could accidentally make internal services, admin pages, or folders visible.

The attack works because the special path is sent as-is to the backend, which often happens in systems that follow standard web address rules. Attackers might also use different ways of writing URLs or add extra parts to the web address to get past simple security checks that only look for exact ../ patterns.

Remediation

Instead of changing the text of the path manually, the proxy should use a standard way to clean up the path according to RFC 3986 before adding it to the main URL. It is better to use a trusted tool like the URL crate to join paths, or to block any path parts with “..” after decoding them. But a custom implementation maybe looks like:

pub(crate) fn encode_url_path(path: &str) -> String {
    let normalized = normalize_path(path);
    normalized.split('/')
        .map(|s| utf8_percent_encode(s, PATH_ENCODE_SET).to_string())
        .collect::<Vec<_>>()
        .join("/")
}

fn normalize_path(path: &str) -> String {
    let mut stack = Vec::new();
    for part in path.split('/') {
        match part {
            "" | "." => (), 
            ".." => { let _ = stack.pop(); },
            _ => stack.push(part),
        }
    }
    stack.join("/")
}

Vulnerable code introduced in:
salvo-rs/salvo@7bac30e#diff-e319bf7afcb577f7e9f4fb767005072f6335d23f306dd52e8c94f3d222610d02R20

Author: Tomas Illuminati

References

@chrislearn chrislearn published to salvo-rs/salvo Mar 18, 2026
Published to the GitHub Advisory Database Mar 19, 2026
Reviewed Mar 19, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

CVE ID

CVE-2026-33242

GHSA ID

GHSA-f842-phm9-p4v4

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.