Vapor FileMiddleware Security Vulnerability

We've fixed an issue in Vapor's FileMiddleware - CVE-2022-31005

Vapor FileMiddleware Security Vulnerability

We've just released Vapor 4.60.3 which contains a fix for a security vulnerability in Vapor's FileMiddleware. An attacker could crash a Vapor application by sending invalid Range headers under certain scenarios, leading to a Denial of Service attack. This has been designated as CVE-2022-31005.

We improved the logic for checking the Range headers and added tests to ensure we catch this behavior. You can see more details on the Security Advisory on GitHub.

If you're using Vapor's FileMiddleware we recommend you upgrade to this release as soon as possible.

Thank you to Johannes Weiss for reporting!