You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by
default, set a limit for the size of the request body. That meant if a malicious
peer would send a very large (or infinite) body your server might run out of
memory and crash.
This also applies to these extractors which used Bytes::from_request
internally:
axum::extract::Form
axum::extract::Json
String
The fix is also in axum-core0.3.0.rc.2 but 0.3.0.rc.1is vulnerable.
Because axum depends on axum-core it is vulnerable as well. The vulnerable
versions of axum are <= 0.5.15 and 0.6.0.rc.1. axum>= 0.5.16 and >= 0.6.0.rc.2 does have the fix and are not vulnerable.
The patched versions will set a 2 MB limit by default.
axum-core
0.1.2
>=0.2.8, <0.3.0-rc.1,>=0.3.0-rc.2
<bytes::Bytes as axum_core::extract::FromRequest>::from_request
would not, bydefault, set a limit for the size of the request body. That meant if a malicious
peer would send a very large (or infinite) body your server might run out of
memory and crash.
This also applies to these extractors which used
Bytes::from_request
internally:
axum::extract::Form
axum::extract::Json
String
The fix is also in
axum-core
0.3.0.rc.2
but0.3.0.rc.1
is vulnerable.Because
axum
depends onaxum-core
it is vulnerable as well. The vulnerableversions of
axum
are<= 0.5.15
and0.6.0.rc.1
.axum
>= 0.5.16
and>= 0.6.0.rc.2
does have the fix and are not vulnerable.The patched versions will set a 2 MB limit by default.
See advisory page for additional details.
The text was updated successfully, but these errors were encountered: