Skip to content

axum - v0.5.16
Compare
Choose a tag to compare
@davidpdrsn davidpdrsn released this 10 Sep 08:01
· 586 commits to main since this release
axum-v0.5.16
76f7688

Security

  • breaking: Added default limit to how much data Bytes::from_request will
    consume. Previously it would attempt to consume the entire request body
    without checking its length. This meant if a malicious peer sent an large (or
    infinite) request body your server might run out of memory and crash.

    The default limit is at 2 MB and can be disabled by adding the new
    DefaultBodyLimit::disable() middleware. See its documentation for more
    details.

    This also applies to these extractors which used Bytes::from_request
    internally:

    • Form
    • Json
    • String

    Thanks to Shachar Menashe for reporting this vulnerability.

    (#1346)

Assets 2