7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-2gg5-7c4v-6xx2

EPSS Score

CWE

CWE-770

Published

9/15/2022

Updated

1/28/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-2gg5-7c4v-6xx2

GHSA-2gg5-7c4v-6xx2: Duplicate of GHSA-m77f-652q-wwp4

Duplicate advisory

This advisory is a duplicate of GHSA-m77f-652q-wwp4. This link is maintained to preserve external references.

Original Description

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash. This also applies to these extractors which used Bytes::from_request internally: axum::extract::Form axum::extract::Json String

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-2gg5-7c4v-6xx2

EPSS Score

CWE

CWE-770

Published

9/15/2022

Updated

1/28/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
axum-core	rust	< 0.2.8	0.2.8
axum-core	rust	= 0.3.0-rc.1	0.3.0-rc.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability root cause is explicitly identified in multiple advisories as the FromRequest trait implementation for Bytes in axum-core. This function is directly responsible for processing raw request bodies without size validation in vulnerable versions. While higher-level extractors (Form, Json) are mentioned as affected, they reside in the axum crate and delegate to the vulnerable axum-core implementation. The function signature follows Rust's fully qualified trait implementation syntax which would appear in stack traces.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## *upli**t* **visory T*is **visory is * *upli**t* o* [**S*-m***-***q-wwp*](*ttps://*it*u*.*om/**visori*s/**S*-m***-***q-wwp*). T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ## Ori*in*l **s*ription <*yt*s::*yt*s *s *xum_*or*::*xtr**t::*ro

Reasoning

T** vuln*r**ility root **us* is *xpli*itly i**nti*i** in multipl* **visori*s *s t** *romR*qu*st tr*it impl*m*nt*tion *or *yt*s in `*xum-*or*`. T*is `*un*tion` is *ir**tly r*sponsi*l* *or pro**ssin* r*w r*qu*st *o*i*s wit*out siz* v*li**tion in vuln*r

7.5

Basic Information

Concerned about an active attack path?

GHSA-2gg5-7c4v-6xx2: Duplicate of GHSA-m77f-652q-wwp4

Duplicate advisory

Original Description

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI