Skip to content
This repository has been archived by the owner on Oct 25, 2024. It is now read-only.

RUSTSEC-2022-0055: No default limit put on request bodies #211

Closed
github-actions bot opened this issue Sep 14, 2022 · 0 comments
Closed

RUSTSEC-2022-0055: No default limit put on request bodies #211

github-actions bot opened this issue Sep 14, 2022 · 0 comments

Comments

@github-actions
Copy link

No default limit put on request bodies

Details
Package axum-core
Version 0.1.2
URL tokio-rs/axum#1346
Date 2022-08-31
Patched versions >=0.2.8, <0.3.0-rc.1,>=0.3.0-rc.2

&lt;bytes::Bytes as axum_core::extract::FromRequest&gt;::from_request would not, by
default, set a limit for the size of the request body. That meant if a malicious
peer would send a very large (or infinite) body your server might run out of
memory and crash.

This also applies to these extractors which used Bytes::from_request
internally:

  • axum::extract::Form
  • axum::extract::Json
  • String

The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable.

Because axum depends on axum-core it is vulnerable as well. The vulnerable
versions of axum are &lt;= 0.5.15 and 0.6.0.rc.1. axum &gt;= 0.5.16 and
&gt;= 0.6.0.rc.2 does have the fix and are not vulnerable.

The patched versions will set a 2 MB limit by default.

See advisory page for additional details.

@ra0x3 ra0x3 closed this as completed Nov 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant