Skip to content
1 minute read

Vapor HTTP Error Handling Security Vulnerability

Vapor 4.84.2 fixes CVE-2023-44386, an error-handling flaw that let an attacker crash an app by triggering a write to a closed channel. Upgrade now.

We’ve just released Vapor 4.84.2 which contains a fix for a security vulnerability in Vapor’s error handling. An attacker could crash a Vapor application by sending invalid requests, such as a GET request with a body and Content-Length that was incorrect, which under certain scenarios could lead to a Denial of Service attack. This has been designated as CVE-2023-44386.

When the right conditions were met Vapor would attempt to write a response to a channel handler that had already been closed, triggering a NIO precondition. We’ve improved the checking in our channel handlers and channel handlers setup to ensure this is no longer possible and added tests to ensure we catch this behavior. You can see more details on the Security Advisory on GitHub.

We recommend you upgrade to this release as soon as possible.

Thank you to t0rchwood for reporting!