Lucene search
RustsecRUSTSEC-2022-0055HistoryAug 31, 2022 - 12:00 p.m.
No default limit put on request bodies
2022-08-3112:00:00
rustsec.org
8
0.001 Low
EPSS
Percentile
33.0%
<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by
default, set a limit for the size of the request body. That meant if a malicious
peer would send a very large (or infinite) body your server might run out of
memory and crash.
This also applies to these extractors which used Bytes::from_request
internally:
axum::extract::Formaxum::extract::JsonString
The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable.
Because axum depends on axum-core it is vulnerable as well. The vulnerable
versions of axum are <= 0.5.15 and 0.6.0.rc.1. axum >= 0.5.16 and
>= 0.6.0.rc.2 does have the fix and are not vulnerable.
The patched versions will set a 2 MB limit by default.
| CPE | Name | Operator | Version |
|---|---|---|---|
| axum-core | lt | 0.2.8 | |
| axum-core | ge | 0.3.0-rc.1 | |
| axum-core | lt | 0.3.0-rc.2 |
Related
osv
osv
axum-core has no default limit put on request bodies
2022-09-15 03:25:15
No default limit put on request bodies
2022-08-31 12:00:00
cve
cve
CVE-2022-3212
2022-09-14 16:15:11
cvelist
cvelist
CVE-2022-3212 DoS in axum-core due to missing request size limit
2022-09-14 16:05:09
github
github
axum-core has no default limit put on request bodies
2022-09-15 03:25:15
prion
prion
Design/Logic Flaw
2022-09-14 16:15:00
nvd
nvd
CVE-2022-3212
2022-09-14 16:15:11