Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RUSTSEC-2022-0055: No default limit put on request bodies #5

Open
github-actions bot opened this issue Sep 13, 2022 · 0 comments
Open

RUSTSEC-2022-0055: No default limit put on request bodies #5

github-actions bot opened this issue Sep 13, 2022 · 0 comments

Comments

@github-actions
Copy link

No default limit put on request bodies

Details
Package axum-core
Version 0.1.2
URL tokio-rs/axum#1346
Date 2022-08-31
Patched versions >=0.2.8, <0.3.0-rc.1,>=0.3.0-rc.2

&lt;bytes::Bytes as axum_core::extract::FromRequest&gt;::from_request would not, by
default, set a limit for the size of the request body. That meant if a malicious
peer would send a very large (or infinite) body your server might run out of
memory and crash.

This also applies to these extractors which used Bytes::from_request
internally:

  • axum::extract::Form
  • axum::extract::Json
  • String

The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable.

Because axum depends on axum-core it is vulnerable as well. The vulnerable
versions of axum are &lt;= 0.5.15 and 0.6.0.rc.1. axum &gt;= 0.5.16 and
&gt;= 0.6.0.rc.2 does have the fix and are not vulnerable.

The patched versions will set a 2 MB limit by default.

See advisory page for additional details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

0 participants