{ "schema_version": "1.4.0", "id": "GHSA-m77f-652q-wwp4", "modified": "2022-09-19T19:22:47Z", "published": "2022-09-15T03:25:15Z", "aliases": [ "CVE-2022-3212" ], "summary": "axum-core has no default limit put on request bodies", "details": "`::from_request` would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash.\n\nThis also applies to these extractors which used `Bytes::from_request` internally:\n- `axum::extract::Form`\n- `axum::extract::Json`\n- `String`\n\nThe fix is also in `axum-core` `0.3.0.rc.2` but `0.3.0.rc.1` _is_ vulnerable.\n\nBecause `axum` depends on `axum-core` it is vulnerable as well. The vulnerable versions of `axum` are `<= 0.5.15` and `0.6.0.rc.1`. `axum` `>= 0.5.16` and `>= 0.6.0.rc.2` does have the fix and are not vulnerable.\n\nThe patched versions will set a 2 MB limit by default.\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "crates.io", "name": "axum-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.2.8" } ] } ] }, { "package": { "ecosystem": "crates.io", "name": "axum-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.3.0-rc.1" }, { "fixed": "0.3.0-rc.2" } ] } ], "versions": [ "0.3.0-rc.1" ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3212" }, { "type": "WEB", "url": "https://github.com/tokio-rs/axum/pull/1346" }, { "type": "PACKAGE", "url": "https://github.com/tokio-rs/axum" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0055.html" } ], "database_specific": { "cwe_ids": [ "CWE-770" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-15T03:25:15Z", "nvd_published_at": null } }