<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash.
This also applies to these extractors which used
The fix is also in
0.3.0.rc.1 is vulnerable.
axum depends on
axum-core it is vulnerable as well. The vulnerable versions of
<= 0.5.15 and
>= 0.5.16 and
>= 0.6.0.rc.2 does have the fix and are not vulnerable.
The patched versions will set a 2 MB limit by default.