GHSA-RJF8-2WCW-F6MP

Vulnerability from github – Published: 2026-01-08 21:22 – Updated: 2026-01-08 21:37
VLAI?
Summary
Salvo is vulnerable to reflected XSS in the list_html function
Details

Summary

The function list_html generates an file view of a folder which includes a render of the current path, in which its inserted in the HTML without proper sanitation, leading to reflected XSS. The request path is decoded and normalized in the matching stage but is not inserted raw in the HTML view (current.path). The only constraint here is for the root path (e.g., /files in the PoC example) to have a subdirectory (e. g., common ones like styles/scripts/etc.) so that the matching returns the list HTML page instead of the Not Found page.

Details

The vulnerable snippet of code is the following: dir.rs

// ... fn list_html(...
    let mut ftxt = format!(
        r#"<!DOCTYPE html><html><head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width">
        <title>{}</title>
        <style>{}</style></head><body><header><h3>Index of: {}</h3></header><hr/>"#,
        current.path,
        HTML_STYLE,
        header_links(&current.path)
    );
// ...

As seen here <title>{}</title> it is inserted unsafely.

PoC

https://github.com/user-attachments/assets/92a29a67-547b-40a5-af26-f1b0dd332702

Here is the example app, note this doesn’t need an upload feature (e.g to the other reported vulnerability), only the sub-folder is required.

main.rs

use salvo::prelude::*;
use salvo::serve_static::StaticDir;
use tokio::fs;

#[tokio::main]
async fn main() {
    tracing_subscriber::fmt().init();
    fs::create_dir_all("uploads").await.expect("create uploads dir");

    let router = Router::new()
        .push(
            Router::with_path("files/{**rest_path}")
                .get(StaticDir::new("uploads").auto_list(true)),
        );

    let acceptor = TcpListener::new("127.0.0.1:5800").bind().await;
    Server::new(acceptor).serve(router).await;
}

Cargo.toml

[package]
name = "salvo-staticdir-xss-poc"
version = "0.1.0"
edition = "2024"

[dependencies]
salvo = { version = "0.85.0", features = ["serve-static"] }
tokio = { version = "1", features = ["macros", "rt-multi-thread", "fs"] }
tracing-subscriber = "0.3"

Setup commands:

mkdir uploads
mkdir uploads/bla

Impact

JavaScript execution, most likely leading to an account takeover, depending on the site's constraint (CSP, etc…).

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "salvo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.88.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-08T21:22:18Z",
    "nvd_published_at": "2026-01-08T19:16:00Z",
    "severity": "HIGH"
  },
  "details": "# Summary\n\nThe function `list_html` generates an file view of a folder which includes a render of the current path, in which its inserted in the HTML without proper sanitation, leading to reflected XSS. The request path is decoded and normalized in the matching stage but is not inserted raw in the HTML view (current.path). The only constraint here is for the root path (e.g., /files in the PoC example) to have a subdirectory (e. g., common ones like styles/scripts/etc.) so that the matching returns the list HTML page instead of the Not Found page.\n\n# Details\n\nThe vulnerable snippet of code is the following:\n[**dir.rs**](https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L593)\n\n```rust\n// ... fn list_html(...\n    let mut ftxt = format!(\n        r#\"\u003c!DOCTYPE html\u003e\u003chtml\u003e\u003chead\u003e\n        \u003cmeta charset=\"utf-8\"\u003e\n        \u003cmeta name=\"viewport\" content=\"width=device-width\"\u003e\n        \u003ctitle\u003e{}\u003c/title\u003e\n        \u003cstyle\u003e{}\u003c/style\u003e\u003c/head\u003e\u003cbody\u003e\u003cheader\u003e\u003ch3\u003eIndex of: {}\u003c/h3\u003e\u003c/header\u003e\u003chr/\u003e\"#,\n        current.path,\n        HTML_STYLE,\n        header_links(\u0026current.path)\n    );\n// ...\n```\n\nAs seen here `\u003ctitle\u003e{}\u003c/title\u003e` it is inserted unsafely.\n\n# PoC\n\nhttps://github.com/user-attachments/assets/92a29a67-547b-40a5-af26-f1b0dd332702\n\nHere is the example app, note this doesn\u2019t need an upload feature (e.g to the other reported vulnerability), only the sub-folder is required.\n\n`main.rs`\n```rust\nuse salvo::prelude::*;\nuse salvo::serve_static::StaticDir;\nuse tokio::fs;\n\n#[tokio::main]\nasync fn main() {\n    tracing_subscriber::fmt().init();\n    fs::create_dir_all(\"uploads\").await.expect(\"create uploads dir\");\n\n    let router = Router::new()\n        .push(\n            Router::with_path(\"files/{**rest_path}\")\n                .get(StaticDir::new(\"uploads\").auto_list(true)),\n        );\n\n    let acceptor = TcpListener::new(\"127.0.0.1:5800\").bind().await;\n    Server::new(acceptor).serve(router).await;\n}\n```\n\n`Cargo.toml`\n```rust\n[package]\nname = \"salvo-staticdir-xss-poc\"\nversion = \"0.1.0\"\nedition = \"2024\"\n\n[dependencies]\nsalvo = { version = \"0.85.0\", features = [\"serve-static\"] }\ntokio = { version = \"1\", features = [\"macros\", \"rt-multi-thread\", \"fs\"] }\ntracing-subscriber = \"0.3\"\n```\n\nSetup commands:\n```bash\nmkdir uploads\nmkdir uploads/bla\n```\n\n# Impact\n\nJavaScript execution, most likely leading to an account takeover, depending on the site\u0027s constraint (CSP, etc\u2026).",
  "id": "GHSA-rjf8-2wcw-f6mp",
  "modified": "2026-01-08T21:37:17Z",
  "published": "2026-01-08T21:22:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-rjf8-2wcw-f6mp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22256"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/salvo-rs/salvo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L593"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Salvo is vulnerable to reflected XSS in the list_html function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.