{"id":"RUSTSEC-2022-0055","summary":"No default limit put on request bodies","details":"`\u003cbytes::Bytes as axum_core::extract::FromRequest\u003e::from_request` would not, by\ndefault, set a limit for the size of the request body. That meant if a malicious\npeer would send a very large (or infinite) body your server might run out of\nmemory and crash.\n\nThis also applies to these extractors which used `Bytes::from_request`\ninternally:\n- `axum::extract::Form`\n- `axum::extract::Json`\n- `String`\n\nThe fix is also in `axum-core` `0.3.0.rc.2` but `0.3.0.rc.1` _is_ vulnerable.\n\nBecause `axum` depends on `axum-core` it is vulnerable as well. The vulnerable\nversions of `axum` are `\u003c= 0.5.15` and `0.6.0.rc.1`. `axum` `\u003e= 0.5.16` and\n`\u003e= 0.6.0.rc.2` does have the fix and are not vulnerable.\n\nThe patched versions will set a 2 MB limit by default.","aliases":["CVE-2022-3212","GHSA-m77f-652q-wwp4"],"modified":"2023-11-08T04:09:34.414125Z","published":"2022-08-31T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/axum-core"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0055.html"},{"type":"WEB","url":"https://github.com/tokio-rs/axum/pull/1346"}],"affected":[{"package":{"name":"axum-core","ecosystem":"crates.io","purl":"pkg:cargo/axum-core"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.2.8"},{"introduced":"0.3.0-rc.1"},{"fixed":"0.3.0-rc.2"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0055.json","cvss":null,"informational":null,"categories":["denial-of-service"]}}],"schema_version":"1.7.3"}