GitHub Advisory DatabaseGHSA-M77F-652Q-WWP4axum-core has no default limit put on request bodies
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
33.0%
<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash.
This also applies to these extractors which used Bytes::from_request internally:
axum::extract::Formaxum::extract::JsonString
The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable.
Because axum depends on axum-core it is vulnerable as well. The vulnerable versions of axum are <= 0.5.15 and 0.6.0.rc.1. axum >= 0.5.16 and >= 0.6.0.rc.2 does have the fix and are not vulnerable.
The patched versions will set a 2 MB limit by default.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| axum-core | eq | 0.3.0-rc.1 | |
| axum-core | lt | 0.2.8 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
33.0%