Allocation of Resources Without Limits or Throttling Affecting axum-core package, versions <0.3.0-rc.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.08% (38th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-AXUMCORE-3023730
  • published15 Sept 2022
  • disclosed15 Sept 2022
  • creditJohseg

Introduced: 15 Sep 2022

CVE-2022-3212  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade axum-core to version 0.3.0-rc.2 or higher.

Overview

axum-core is an ergonomic and modular web framework built with Tokio, Tower, and Hyper

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper limitation of the request body size in <bytes::Bytes as axum_core::extract::FromRequest>::from_request

Note

This also applies to these extractors which used Bytes::from_request internally:

  1. axum::extract::Form

  2. axum::extract::Json

  3. String

CVSS Scores

version 3.1