Vapor HTTP Error Handling Security Vulnerability
We've just released Vapor 4.84.2 which contains a fix for a security vulnerability in Vapor's error handling. An attacker could crash a Vapor application by sending invalid requests, such as a GET request with a body and Content-Length
that was incorrect, which under certain scenarios could lead to a Denial of Service attack. This has been designated as CVE-2023-44386.
When the right conditions were met Vapor would attempt to write a response to a channel handler that had already been closed, triggering a NIO precondition. We've improved the checking in our channel handlers and channel handlers setup to ensure this is no longer possible and added tests to ensure we catch this behavior. You can see more details on the Security Advisory on GitHub.
We recommend you upgrade to this release as soon as possible.
Thank you to t0rchwood for reporting!