Advisories for Cargo/Axum-Core package

2022

Duplicate of GHSA-m77f-652q-wwp4

Duplicate advisory This advisory is a duplicate of GHSA-m77f-652q-wwp4. This link is maintained to preserve external references. Original Description <bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash. This also applies to these extractors which used Bytes::from_request internally: axum::extract::Form …

axum-core has no default limit put on request bodies

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash. This also applies to these extractors which used Bytes::from_request internally: axum::extract::Form axum::extract::Json String The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable. Because axum depends on axum-core it …