OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-15 22:04:38 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
cdcbc33c5826fc85d31212bdc1907a74e2759523
advisory-db/crates/axum-core/RUSTSEC-2022-0055.md
github-actions[bot] 3a635d3a08 Assigned RUSTSEC-2022-0055 to axum-core (#1419) 
Co-authored-by: pinkforest <pinkforest@users.noreply.github.com>
2022-09-13 10:41:23 +10:00

1.0 KiB
Raw Blame History 

[advisory]
id = "RUSTSEC-2022-0055"
package = "axum-core"
date = "2022-08-31"
url = "https://github.com/tokio-rs/axum/pull/1346"
categories = ["denial-of-service"]
keywords = ["ddos", "oom"]

[versions]
patched = [">= 0.2.8, < 0.3.0-rc.1", ">= 0.3.0-rc.2"]

No default limit put on request bodies

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash.

This also applies to these extractors which used Bytes::from_request internally:

  • axum::extract::Form
  • axum::extract::Json
  • String

The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable.

Because axum depends on axum-core it is vulnerable as well. The vulnerable versions of axum are <= 0.5.15 and 0.6.0.rc.1. axum >= 0.5.16 and >= 0.6.0.rc.2 does have the fix and are not vulnerable.

The patched versions will set a 2 MB limit by default.