Add axum-core DoS (#1417)

2025-12-29 07:46:22 +01:00 · 2022-09-13 02:40:55 +02:00
parent 57117194f0
commit 42bea97b0d
1 changed files with 33 additions and 0 deletions
--- a/crates/axum-core/RUSTSEC-0000-0000.md
+++ b/crates/axum-core/RUSTSEC-0000-0000.md
@@ -0,0 +1,33 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "axum-core"
+date = "2022-08-31"
+url = "https://github.com/tokio-rs/axum/pull/1346"
+categories = ["denial-of-service"]
+keywords = ["ddos", "oom"]
+
+[versions]
+patched = [">= 0.2.8, < 0.3.0-rc.1", ">= 0.3.0-rc.2"]
+```
+
+# No default limit put on request bodies
+
+`<bytes::Bytes as axum_core::extract::FromRequest>::from_request` would not, by
+default, set a limit for the size of the request body. That meant if a malicious
+peer would send a very large (or infinite) body your server might run out of
+memory and crash.
+
+This also applies to these extractors which used `Bytes::from_request`
+internally:
+- `axum::extract::Form`
+- `axum::extract::Json`
+- `String`
+
+The fix is also in `axum-core` `0.3.0.rc.2` but `0.3.0.rc.1` _is_ vulnerable.
+
+Because `axum` depends on `axum-core` it is vulnerable as well. The vulnerable
+versions of `axum` are `<= 0.5.15` and `0.6.0.rc.1`. `axum` `>= 0.5.16` and
+`>= 0.6.0.rc.2` does have the fix and are not vulnerable.
+
+The patched versions will set a 2 MB limit by default.