CVE-2022-3212

Name of the Vulnerable Software and Affected Versions axum versions <= 0.5.15 axum version 0.6.0.rc.1 axum-core version 0.3.0.rc.1

Description The issue arises from the <bytes::Bytes as axum core::extract::FromRequest>::from request function not setting a limit for the size of the request body by default. This allows a malicious peer to send a very large or infinite body, potentially causing the server to run out of memory and crash. The extractors axum::extract::Form, axum::extract::Json, and String are also affected as they use Bytes::from request internally.

Recommendations For axum versions <= 0.5.15, update to version >= 0.5.16 to resolve the issue. For axum version 0.6.0.rc.1, update to version >= 0.6.0.rc.2 to resolve the issue. For axum-core version 0.3.0.rc.1, update to version >= 0.3.0.rc.2 to resolve the issue. As a temporary workaround, consider setting a limit for the size of the request body to prevent potential crashes.