Vapor HTTP Error Handling Security Vulnerability

We've fixed an issue in Vapor's Error Handling - CVE-2023-44386
Tim
Tim
Published 05th October 2023

Vapor HTTP Error Handling Security Vulnerability

We've just released Vapor 4.84.2 which contains a fix for a security vulnerability in Vapor's error handling. An attacker could crash a Vapor application by sending invalid requests, such as a GET request with a body and Content-Length that was incorrect, which under certain scenarios could lead to a Denial of Service attack. This has been designated as CVE-2023-44386.

When the right conditions were met Vapor would attempt to write a response to a channel handler that had already been closed, triggering a NIO precondition. We've improved the checking in our channel handlers and channel handlers setup to ensure this is no longer possible and added tests to ensure we catch this behavior. You can see more details on the Security Advisory on GitHub.

We recommend you upgrade to this release as soon as possible.

Thank you to t0rchwood for reporting!