logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-31019 vapor

Package

Manager: swift
Name: vapor
Vulnerable Version: >=0 <4.61.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00355 pctl0.57052

Details

Vapor vulnerable to denial of service in URLEncodedFormDecoder Vapor is an HTTP web framework for Swift. Vapor versions earlier than 4.61.1 are vulnerable to a denial of service in the URLEncodedFormDecoder. ### Impact When using automatic content decoding, e.g. ```swift app.post("foo") { request -> String in let foo = try request.content.decode(Foo.self) return "\(foo)" } ``` An attacker can craft a request body that can make the server crash with the following request: ``` curl -d "array[_0][0][array][_0][0][array]$(for f in $(seq 1100); do echo -n '[_0][0][array]'; done)[string][_0]=hello%20world" http://localhost:8080/foo ``` The issue is unbounded, attacker controlled stack growth which will at some point lead to a stack overflow. ### Patches Fixed in 4.61.1 ### Workarounds If you don't need to decode Form URL Encoded data, you can disable the `ContentConfiguration` so it won't be used. E.g. in **configure.swift** ```swift var contentConfig = ContentConfiguration() contentConfig.use(encoder: JSONEncoder.custom(dates: .iso8601), for: .json) contentConfig.use(decoder: JSONDecoder.custom(dates: .iso8601), for: .json) contentConfig.use(encoder: JSONEncoder.custom(dates: .iso8601), for: .jsonAPI) contentConfig.use(decoder: JSONDecoder.custom(dates: .iso8601), for: .jsonAPI) ContentConfiguration.global = contentConfig ``` ### For more information If you have any questions or comments about this advisory: * Open an issue in [the Vapor repo](https://github.com/vapor/vapor) * Ask in [Vapor Discord](http://vapor.team)

Metadata

Created: 2023-06-07T16:11:16Z
Modified: 2023-06-07T16:11:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-qvxg-wjxc-r4gg/GHSA-qvxg-wjxc-r4gg.json
CWE IDs: ["CWE-120", "CWE-121", "CWE-674"]
Alternative ID: GHSA-qvxg-wjxc-r4gg
Finding: F316
Auto approve: 1