CVE-2023-44386

Incorrect request error handling triggers server crash in Vapor

CVSS 5.3 MEDIUMEPSS 0.6%CWE-231 CWE-617 CWE-696

In short

Vapor, a web framework for Swift, crashes when it receives malformed HTTP requests because it closes connections instead of handling errors properly. This allows attackers to take down the service by sending bad requests.

Technical detail

A denial of service vulnerability in Vapor's HTTP/1 error handler allows unauthenticated remote attackers to crash the server by sending malformed HTTP requests. The framework closes connections on HTTP parse errors instead of gracefully handling them, requiring no special privileges or user interaction. Fixed in Vapor 4.84.2.

Summary generated and translated by AI from the official description.

Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

vapor · vapor

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3 https://github.com/vapor/vapor/releases/tag/4.84.2 https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm