github tokio-rs/axum axum-v0.5.16
axum - v0.5.16

latest releases: axum-v0.7.8, axum-extra-v0.9.5, axum-v0.8.0-alpha.1...
2 years ago

Security

  • breaking: Added default limit to how much data Bytes::from_request will
    consume. Previously it would attempt to consume the entire request body
    without checking its length. This meant if a malicious peer sent an large (or
    infinite) request body your server might run out of memory and crash.

    The default limit is at 2 MB and can be disabled by adding the new
    DefaultBodyLimit::disable() middleware. See its documentation for more
    details.

    This also applies to these extractors which used Bytes::from_request
    internally:

    • Form
    • Json
    • String

    Thanks to Shachar Menashe for reporting this vulnerability.

    (#1346)

Don't miss a new axum release

NewReleases is sending notifications on new releases.