Advisories for Swift/Github.com/Apple/Swift-Nio-Http2 package

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec (HTTP2FramePayloadToHTTP1ServerCodec / HTTP2ToHTTP1ServerCodec) did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. A remote attacker could send an HTTP/2 request containing CR (\r), LF (\n), or NUL (\0) bytes in pseudo-header values such as :path, and when the server translated this to HTTP/1.1 — for example in a reverse-proxy configuration — the resulting output could contain injected headers or entirely …

The HTTP/2 MadeYouReset vulnerability has a mild effect on swift-nio-http2. swift-nio-http2 mostly protects against MadeYouReset by using a number of existing denial-of-service prevention patterns that we added in response to the RapidReset vulnerabilities. The result is that servers are not vulnerable to naive attacks based on MadeYouReset, and the naive PoC examples do not affect swift-nio-http2. However, in 1.38.0 we added some defense-in-depth measures as a precautionary measure that detect …

HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other …

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.2. It is fixed in 1.20.0 and later releases. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH_PROMISE frame where the frame contains padding information without any other data. This logical …

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. It is fixed in 1.19.2 and later releases. There are a number of implementation errors in the parsing of HPACK-encoded header blocks that allow maliciously crafted HPACK header blocks to cause crashes in processes using swift-nio-http2. …

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. It is fixed in 1.19.2 and later releases. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion …

A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. It is fixed in 1.19.2 and later releases. This vulnerability is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2, and should be ignored. However, …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w3f6-pc54-gfw7. This link is maintained to preserve external references. Original Description A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of HPACK-encoded …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pgfx-g6rc-8cjv. This link is maintained to preserve external references. Original Description A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pgfx-g6rc-8cjv. This link is maintained to preserve external references. Original Description A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame …