GHSA-mgc4-wqv7-4pxm – github.com/apple/swift-nio

Package

Manager: swift
Name: github.com/apple/swift-nio
Vulnerable Version: >=1.0.0 <1.14.2 || >=2.0.0 <2.13.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

SwiftNIO vulnerable to HTTP request smuggling using malformed Transfer-Encoding header ### Impact Affected SwiftNIO systems are vulnerable to request smuggling attacks, in which they parse a given HTTP message differently from other network parties, potentially seeing a different number of requests than other servers. This can lead to failures of authentication, routing, and other issues. This vulnerability can be found in the bundled copy of the Node.JS HTTP parser used in the `NIOHTTP1` module. ### Workarounds No workaround is available, users must upgrade. ### References https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/#http-request-smuggling-using-malformed-transfer-encoding-header-critical-cve-2019-15605

Metadata

Created: 2023-05-18T17:29:43Z
Modified: 2023-05-18T17:29:43Z
Source: https://osv-vulnerabilities
CWE IDs: ["CWE-444"]
Alternative ID: N/A
Finding: F110
Auto approve: 1