CVE-2026-28980: SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS

June 12, 2026

The HTTPDecoder in NIOHTTP1 enforces no limit on the total size of an HTTP/1 message’s header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all accumulated into the resulting HTTPHeaders value before any application code runs. This can be used to exhaust memory, or — for consumers that subsequently convert headers into swift-http-types’ HTTPFields — to crash the process.

References

github.com/advisories/GHSA-rj37-6j9x-74q6
github.com/apple/swift-nio/security/advisories/GHSA-rj37-6j9x-74q6
nvd.nist.gov/vuln/detail/CVE-2026-28980

Detect and mitigate CVE-2026-28980 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →