Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.misconfiguration

Do not disable Axum default body limits for untrusted uploads

Axum apps should keep a finite `DefaultBodyLimit` (or equivalent) so request bodies cannot exhaust memory.

#Metadata

Rule ID
rust.security.axum-body-limit-disabled
Severity
high
Confidence
0.86
Languages
rust
Presets
security, strict
Stability
experimental
Applies to
block
Tags
axum, rules-catalog, rust, security

#Why it matters

`DefaultBodyLimit::disable()` removes the framework guardrail against huge bodies and is unsafe on routes that accept untrusted input.

#Remediation

Set an explicit max body size with `DefaultBodyLimit::max`, add `tower_http::limit::RequestBodyLimitLayer`, or enforce limits at your edge proxy before accepting large uploads.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/rust/rust.security.axum-body-limit-disabled.rule.yaml.

Back to directoryOpen rule in repository