The vulnerability identified as CVE-2026-33242 affects the salvo-rs web framework, a Rust-based framework widely used for building web applications. The issue lies in the salvo-proxy component, where the encode_url_path function inadequately handles URL path normalization. Specifically, it fails to re-encode the '.' character, allowing '../' sequences to be forwarded verbatim to upstream servers. This improper limitation of pathname (CWE-22) results in a path traversal vulnerability, enabling attackers to circumvent proxy routing constraints. Consequently, an unauthenticated external attacker can access backend resources that should be restricted, such as administrative dashboards or protected API endpoints. The vulnerability spans versions 0.39.0 through 0.89.2, with a fix introduced in version 0.89.3. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the vulnerability's network attack vector, low attack complexity, no required privileges or user interaction, and high impact on confidentiality. Although no exploits have been observed in the wild, the ease of exploitation and potential access to sensitive backend resources pose significant risks.

This vulnerability can have serious consequences for organizations deploying applications using the affected versions of salvo-rs. Attackers can bypass proxy routing controls to access sensitive backend systems, potentially exposing confidential data or administrative interfaces. While the vulnerability does not directly affect data integrity or availability, unauthorized access to protected endpoints can lead to further exploitation, data leakage, or unauthorized configuration changes. The lack of authentication requirements and the ability to exploit remotely increase the risk of widespread attacks. Organizations relying on salvo-rs for critical web services, especially those exposing administrative or sensitive APIs behind proxies, face elevated risks of data breaches and unauthorized access. The impact is amplified in environments where salvo-proxy is used as a security boundary or access control mechanism.

To mitigate this vulnerability, organizations should upgrade all instances of salvo-rs to version 0.89.3 or later, where the encode_url_path function properly normalizes and re-encodes path segments to prevent traversal. In addition to upgrading, it is advisable to implement strict input validation and URL normalization at the proxy and application layers to detect and block suspicious path traversal patterns. Deploying web application firewalls (WAFs) with rules targeting path traversal attempts can provide an additional defense layer. Monitoring logs for unusual access patterns or attempts to access administrative paths can help detect exploitation attempts early. Network segmentation should be used to limit backend system exposure, and access controls should be enforced independently of proxy routing to reduce reliance on a single security mechanism. Regular security audits and code reviews of proxy components are recommended to identify similar issues proactively.