CVE-2021-21328

Denial of Service

CVSS 5.3 MEDIUMEPSS 1.6%CWE-400

In short

Vapor web framework versions before 4.40.1 are vulnerable to denial-of-service attacks where sending requests to many different URLs can create unlimited counters and timers, draining system resources and affecting the application and connected services.

Technical detail

CWE-400 resource exhaustion vulnerability in Vapor's metrics backend: unauthenticated attackers can trigger unlimited counter/timer creation by sending requests to arbitrary undefined routes, consuming memory and processing resources. Patched by rewriting undefined routes to a single `vapor_route_undefined` counter. Affects any Vapor instance with metrics enabled pre-4.40.1.

Summary generated and translated by AI from the official description.

Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create unlimited counters and timers, which will eventually drain the system. 2. downstream services might suffer from this attack as well by being spammed with error paths. This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

vapor · vapor

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23 https://github.com/vapor/vapor/releases/tag/4.40.1 https://github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmc https://vapor.codes/