7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-3212

CVE-2022-3212: axum-core has no default limit put on request bodies

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash.

This also applies to these extractors which used Bytes::from_request internally:

axum::extract::Form
axum::extract::Json
String

The fix is also in axum-core 0.3.0.rc.2 but 0.3.0.rc.1 is vulnerable.

Because axum depends on axum-core it is vulnerable as well. The vulnerable versions of axum are <= 0.5.15 and 0.6.0.rc.1. axum >= 0.5.16 and >= 0.6.0.rc.2 does have the fix and are not vulnerable.

The patched versions will set a 2 MB limit by default.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-3212

CVE-2022-3212:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
axum-core	rust	< 0.2.8	0.2.8
axum-core	rust	= 0.3.0-rc.1	0.3.0-rc.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability root cause is explicitly identified in multiple sources as the FromRequest implementation for Bytes type. This function's lack of size limitation propagates to dependent extractors (Form, Json, String) that use it internally. The GitHub advisory, CVE description, and commit diff all specifically reference this function as the source of the vulnerability. The fix involved adding http_body::Limited wrapper to enforce a 2MB default limit, confirming the vulnerable code path was in the from_request implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-3212: axum-core has no default limit put on request bodies

CVE-2022-3212:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

7.5

7.5

CVE-2022-3212: axum-core has no default limit put on request bodies

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI