GHSA-2gg5-7c4v-6xx2: Duplicate of GHSA-m77f-652q-wwp4

September 15, 2022 (updated September 19, 2022)

Duplicate advisory

This advisory is a duplicate of GHSA-m77f-652q-wwp4. This link is maintained to preserve external references.

Original Description

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash. This also applies to these extractors which used Bytes::from_request internally: axum::extract::Form axum::extract::Json String

References

github.com/advisories/GHSA-2gg5-7c4v-6xx2
nvd.nist.gov/vuln/detail/CVE-2022-3212
research.jfrog.com/vulnerabilities/axum-core-dos
rustsec.org/advisories/RUSTSEC-2022-0055.html

Detect and mitigate GHSA-2gg5-7c4v-6xx2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →