CVE-2022-3212: 
Rust vulnerability analysis and mitigation

CVE-2022-3212 is a vulnerability in axum-core, a Rust package, discovered and reported by Ori Hollander from the JFrog Security Research Team on August 31, 2022. The vulnerability affects axum-core versions up to 0.2.7 and 0.3.0-rc.1, where the ::from_request function did not set a default limit for HTTP request body sizes. This vulnerability also impacts several extractors that use Bytes::from_request internally, including axum::extract::Form, axum::extract::Json, and String (JFrog Advisory, RustSec Advisory).

The vulnerability stems from the ::from_request function's failure to implement request size limits by default. When processing HTTP requests, if a malicious actor sends a request with a very large Content-Length header (even with a relatively small body), it could cause the Rust allocator to panic due to failed allocation attempts. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) and is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

The primary impact of this vulnerability is the potential for denial of service attacks. When exploited, an attacker can cause the server to run out of memory and crash by sending requests with extremely large or infinite body sizes. This could lead to service disruption and system instability (JFrog Advisory, RustSec Advisory).

The vulnerability has been patched in axum-core version 0.2.8 and 0.3.0-rc.2. The fixed versions implement a default 2 MB limit on request body sizes. For axum users, versions 0.5.16 and 0.6.0-rc.2 or later contain the fix. It is strongly recommended to upgrade to these patched versions as no alternative mitigations are provided (RustSec Advisory).