Stack Overflow in Axum with Api Keys
Stack Overflow in Axum with Api Keys — how this specific combination creates or exposes the vulnerability
When an Axum service uses API keys for authorization but does not enforce rate limits, it can expose a resource exhaustion and denial-of-service path. Stack overflow in this context is not about parsing deeply nested JSON; it is about unbounded consumption of server-side resources caused by many rapid requests that are individually valid (authenticated with a key) but collectively overwhelm the service. An attacker who discovers or guesses a valid API key can send a high-volume stream of requests to endpoints that perform expensive work, such as large query scans or synchronous processing, leading to thread pool saturation, memory pressure, and request queuing or timeouts.
In Axum, this often arises when a key-guarded route does not apply per-client or global rate limiting and when handlers perform unbounded operations. For example, an endpoint that accepts a query parameter for page size without capping the requested page size can cause the handler to allocate large vectors or streams, increasing memory usage per request. If the API key is leaked or shared, a single compromised key allows an attacker to scale this behavior across many requests. Because middleBrick tests unauthenticated attack surfaces and also flags API key exposure and missing rate controls as separate findings, the scanner can highlight an absence of per-key throttling even when authentication itself is not broken.
Consider an Axum route that uses a raw API key header but delegates authorization to a permissive handler:
async fn handler(
Key(key) = Key::::from("secret"),
Extension(state): Extension,
) -> impl IntoResponse {
// No limit on how much work this does per request
let data = expensive_query_all(&state.db).await;
(StatusCode::OK, data)
}
If expensive_query_all returns a large dataset and the route is called repeatedly with a valid key, the service can experience sustained high CPU and memory usage. middleBrick’s 12 parallel checks include Authentication, Rate Limiting, and BFLA/Privilege Escalation, so a scan can surface that the endpoint is key-protected but lacks throttling and does not enforce reasonable resource bounds. This combination flags a high risk of denial-of-service via resource exhaustion, aligning with common OWASP API Top 10 categories such as Improper Rate Limiting and Excessive Data Exposure.
Stack overflow via API keys is exacerbated when keys are long-lived, shared across clients, or embedded in client-side code, increasing the chance of misuse. Because middleBrick scans the unauthenticated attack surface and flags missing rate controls, it helps identify routes that accept authenticated traffic without safeguards. Remediation focuses on introducing per-key rate limits, bounding input sizes, and ensuring handlers impose sensible work caps to prevent unbounded resource consumption.
Api Keys-Specific Remediation in Axum — concrete code fixes
To mitigate stack overflow and resource exhaustion risks when using API keys in Axum, apply per-key rate limiting, validate and bound inputs, and design handlers to avoid unbounded work. Below are concrete, idiomatic Axum examples that integrate these protections.
1. Apply per-key rate limiting with tower::limit
Use a rate-limiting layer that scopes limits by API key. With tower::rate::RateLimitLayer you can set a maximum number of requests per second per key. Store per-key state in memory or use a shared cache for distributed setups.
use axum::{routing::get, Router};
use std::net::SocketAddr;
use tower::limit::RateLimitLayer;
use tower_http::auth::{AuthLayer, Credentials, RejectionPolicy};
use std::time::Duration;
async fn validate_key(key: &str) -> bool {
// Replace with your key lookup logic
key == "trusted-key"
}
#[tokio::main]
async fn main() {
let app = Router::new()
.route("/data", get(handler))
.layer(
AuthLayer::new(validate_key)
.rejection_reason("Invalid API key")
.rejection_policy(RejectionPolicy::Custom(|| async { (StatusCode::UNAUTHORIZED, "Bad key") })),
)
.layer(RateLimitLayer::new(
tower::limit::NoOpKeyResolver,
tower::limit::NoOpClock,
100, // max requests per window
Duration::from_secs(1),
));
let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
axum::Server::bind(&addr)
.serve(app.into_make_service())
.await
.unwrap();
}
async fn handler() -> &'static str {
"ok"
}
In this example, the rate limit is global. To make it per-key, use a key-aware rate limiter such as tower::limit::ConcurrencyLimitLayer with a key extractor that maps requests to a per-key semaphore, or integrate a Redis-backed token bucket via tower-redis.
2. Bound inputs and cap work per request
Always validate query and body parameters that control iteration or allocation. For page-size parameters, enforce a server-side maximum:
use axum::{routing::get, Json, Router};
use serde::Deserialize;
use std::net::SocketAddr;
#[derive(Deserialize)]
struct ListRequest {
#[serde(default)]
page_size: usize,
}
const MAX_PAGE_SIZE: usize = 100;
async fn list_handler(Json(payload): Json) -> Json<Vec<String>> {
let page_size = payload.page_size.min(MAX_PAGE_SIZE);
// Fetch at most page_size records; avoid unbounded queries
let items = fetch_items(page_size).await;
Json(items)
}
async fn fetch_items(limit: usize) -> Vec<String> {
// Simulate bounded data retrieval
(0..limit).map(|i| format!("item-{}", i)).collect()
}
#[tokio::main]
async fn main() {
let app = Router::new().route("/items", get(list_handler));
let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
axum::Server::bind(&addr)
.serve(app.into_make_service())
.await
.unwrap();
}
By capping page_size and using bounded collections, you prevent a single request from consuming excessive memory or CPU. Combine this with per-key rate limits to reduce the impact of a compromised key.
3. Use middleware for key validation and throttling
Implement a thin middleware that validates the key and checks a per-key token bucket before passing the request to handlers. This keeps handlers focused and ensures consistent enforcement across routes.
use axum::{async_trait, extract::FromRequest, http::StatusCode, middleware::Next, response::IntoResponse, Request, Router};
use std::collections::HashMap;
use std::sync::{Arc, Mutex};
use std::time::{Duration, Instant};
struct KeyState {
tokens: f64,
last: Instant,
}
struct KeyGuard {
key: String,
}
#[async_trait]
impl FromRequest<S> for KeyGuard
where
S: Send + Sync,
{
type Rejection = (StatusCode, &'static str);
async fn from_request(req: Request, _state: &S) -> Result<Self, Self::Rejection> {
let headers = req.headers();
match headers.get("X-API-Key") {
Some(h) => Ok(KeyGuard { key: h.to_str().unwrap_or_default().to_string() }),
None => Err((StatusCode::UNAUTHORIZED, "missing key")),
}
}
}
struct RateLimiter {
limits: Arc<Mutex<HashMap<String, KeyState>>>,
max_tokens: f64,
refill_rate: f64,
}
impl RateLimiter {
fn allow(&mut self, key: &str) -> bool {
let mut limits = self.limits.lock().unwrap();
let state = limits.entry(key.to_string()).or_insert(KeyState { tokens: self.max_tokens, last: Instant::now() });
let elapsed = state.last.elapsed().as_secs_f64();
state.tokens = (self.max_tokens).min(state.tokens + elapsed * self.refill_rate);
state.last = Instant::now();
if state.tokens >= 1.0 {
state.tokens -= 1.0;
true
} else {
false
}
}
}
async fn guarded_handler(KeyGuard { key }: KeyGuard) -> impl IntoResponse {
format!("handled for {}", key)
}
#[tokio::main]
async fn main() {
let limits = Arc::new(Mutex::new(HashMap::new()));
let rate_limiter = Arc::clone(&limits);
let mut router = Router::new().route("/data", get(guarded_handler));
// Attach a custom layer that uses rate_limiter
router = router.layer(axum::middleware::from_fn(move |req, next| {
let limiter = &rate_limiter;
async move {
if let Some(key) = req.headers().get("X-API-Key") {
if let Ok(k) = key.to_str() {
if limiter.lock().unwrap().allow(k) {
return Ok(next.run(req).await);
}
}
}
Ok::<_, (StatusCode, &'static str)>((StatusCode::TOO_MANY_REQUESTS, "rate limit exceeded").into_response())
}
}));
let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
axum::Server::bind(&addr)
.serve(router.into_make_service())
.await
.unwrap();
}
These patterns address the stack-overflow-like risk by ensuring that valid API keys cannot drive unbounded resource consumption. They align with the remediation guidance provided in middleBrick findings and help you maintain a secure, stable Axum service when using API keys.