Heap Overflow in Axum with Dynamodb
Heap Overflow in Axum with Dynamodb — how this specific combination creates or exposes the vulnerability
A heap-based buffer overflow in an Axum service that uses the AWS SDK for Rust to interact with DynamoDB can occur when untrusted input directly sizes or copies into heap-allocated buffers before being stored or sent to DynamoDB. In this combination, the Rust service parses HTTP requests with Axum, builds DynamoDB PutItem or UpdateItem input structures from those requests, and then passes them to the AWS SDK. If the application trusts the request size or content, it may construct buffers or deserialize payloads without proper length checks, leading to writes past allocated heap memory.
This becomes a practical risk when the service deserializes JSON or CBOR into large, unbounded Rust structures (e.g., HashMap
The AWS SDK for Rust serializes requests to HTTP; if an attacker sends specially crafted JSON that results in large or deeply nested structures, and the service copies data into fixed-size heap buffers before handing it to the SDK, the overflow can manifest during serialization or when the service processes the response. An unchecked Content-Length-like field or an unbounded String used as a key or attribute value in DynamoDB items can enlarge heap usage unexpectedly. Because DynamoDB expects strongly-typed attribute values, malformed or oversized attribute values may trigger deeper parsing paths in the SDK, increasing exposure if the SDK or related dependencies have unchecked buffer operations.
In practice, this vulnerability surface appears when:
- The Axum extractor reads a raw body or header into a heap buffer without validating size or structure before constructing DynamoDB items.
- The service builds expression attribute values from user input using the AWS SDK’s attribute builders without bounding string lengths or collection sizes.
- Unsafe Rust code or third-party crates used alongside the SDK manipulate buffers directly, bypassing Rust’s usual safety guarantees.
Because middleBrick tests the unauthenticated attack surface and includes input validation and unsafe consumption checks among its 12 parallel security checks, it can flag indicators of such overflow risks in the API behavior and specification, even though the scanner does not perform remediation.
Dynamodb-Specific Remediation in Axum — concrete code fixes
To mitigate heap overflow risks when using Axum with DynamoDB, validate and bound all inputs before constructing SDK structures, and avoid unsafe buffer handling. Prefer strongly-typed request DTOs with explicit size limits, and use the AWS SDK’s high-level builders safely by constraining strings, collections, and nested depths.
Example of unsafe deserialization that can contribute to heap issues:
// Unsafe: unbounded deserialization into a large DynamoDB item
async fn put_item_unsafe(body: String) -> Result<(), (StatusCode, String)> {
let input: HashMap<String, AttributeValue> = serde_json::from_str(&body)
.map_err(|e| (StatusCode::BAD_REQUEST, e.to_string()))?;
let req = PutItemInput::builder()
.set_table_name("MyTable".to_string())
.set_item(input)
.build();
client.put_item().send().await?;
Ok(())
}
Safer approach with explicit validation and bounded structures:
use aws_sdk_dynamodb::types::AttributeValue;
use axum::extract::Json;
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
const MAX_ATTR_VALUE_LENGTH: usize = 4096;
const MAX_ITEM_SIZE: usize = 25;
#[derive(Deserialize, Serialize)]
struct MyItem {
id: String,
#[serde(deserialize_with = "bounded_string")]
name: String,
#[serde(deserialize_with = "bounded_map")]
attrs: HashMap<String, AttributeValue>,
}
fn bounded_string<'de, D>(deserializer: D) -> Result<String, D::Error>
where
D: serde::Deserializer<'de>,
{
let s = String::deserialize(deserializer)?;
if s.len() > MAX_ATTR_VALUE_LENGTH {
return Err(serde::de::Error::invalid_length(s.len(), &"string length <= 4096"));
}
Ok(s)
}
fn bounded_map<'de, D>(deserializer: D) -> Result<HashMap<String, AttributeValue>, D::Error>
where
D: serde::Deserializer<'de>,
{
let map = HashMap::deserialize(deserializer)?;
if map.len() > MAX_ITEM_SIZE {
return Err(serde::de::Error::invalid_length(map.len(), &"map size <= 25"));
}
for (k, v) in &map {
if k.len() > MAX_ATTR_VALUE_LENGTH {
return Err(serde::de::Error::invalid_length(k.len(), &"key length"));
}
if let AttributeValue::S(val) = v {
if val.len() > MAX_ATTR_VALUE_LENGTH {
return Err(serde::de::Error::invalid_length(val.len(), &"attribute string length"));
}
}
}
Ok(map)
}
async fn put_item_safe(Json(payload): Json<MyItem>) -> Result<(), (StatusCode, String)> {
let item: HashMap<String, AttributeValue> = payload
.attrs
.into_iter()
.map(|(k, v)| Ok((k, v)))
.collect::<Result<_, _>>()
.map_err(|e| (StatusCode::BAD_REQUEST, e.to_string()))?;
let req = PutItemInput::builder()
.table_name("MyTable")
.set_item(Some(item))
.build()
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
client.put_item().send().await?;
Ok(())
}
Additional remediation steps include:
- Use Axum extractors with explicit size limits for JSON payloads (e.g., limit max bytes with
JsonConfig). - Validate attribute values and expression strings before passing them to DynamoDB condition or update expression builders.
- Avoid constructing DynamoDB expressions by concatenating unchecked user input; prefer expression attribute names/values with strict allow-lists.
- Audit any unsafe blocks or third-party crates that manipulate buffers near DynamoDB serialization paths.
These practices reduce the attack surface that could lead to heap corruption when the service interacts with DynamoDB.