<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by
default, set a limit for the size of the request body. That meant if a malicious
peer would send a very large (or infinite) body your server might run out of
memory and crash.
This also applies to these extractors which used
The fix is also in
0.3.0.rc.1 is vulnerable.
axum depends on
axum-core it is vulnerable as well. The vulnerable
<= 0.5.15 and
>= 0.5.16 and
>= 0.6.0.rc.2 does have the fix and are not vulnerable.
The patched versions will set a 2 MB limit by default.
Advisory available under CC0-1.0