JFrog Security Research
< Back

- axum-core missing request size limit DoS

CVE-2022-3212 | CVSS 7.5

JFrog Severity:high

Discovered ByOri Hollanderof the JFrog Security Research Team

Published 31 Aug, 2022 | Last updated 31 Aug, 2022

A missing request size limit for HTTP requests in axum-core can allow network attackers to perform denial of service


axum-core (, 0.2.7], fixed in 0.2.8

axum-core (, 0.3.0-rc.1], fixed in 0.3.0-rc.2

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a request with a very large Content-Length header (even if the body itself is not very large), the Rust allocator would panic (due to a failed allocation) and the process would crash.

This also applies to these extractors which used Bytes::from_request internally:

  • axum::extract::Form
  • axum::extract::Json
  • String

git clone https://github.com/tokio-rs/axum

cd axum/examples && cargo run -p example-readme

curl -v -X POST "" -H "Content-Type: application/json" \
--data `python3 -c "import sys; sys.stdout.write('a'*10000)"` -H "Content-Length: 11111111111111111111"

No mitigations are provided for this vulnerability.

In order to fully fix this vulnerability, we recommend upgrading axum-core to version 0.2.8

The fixed axum version is 0.5.16


< Back