SwiftNIO before 2.13.1 (and SwiftNIO 1 before 1.14.2) are vulnerable to CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
Please make sure you immediately upgrade to SwiftNIO >= 2.13.1 (or >= 1.14.2 for SwiftNIO 1).
For more information about this vulnerability:
- The Node.js security post which is relevant because SwiftNIO vendors Node.js's HTTP parser.
- The post in the SwiftNIO category: SwiftNIO Security Releases: 2.13.1 and 1.14.2 .
- The security advisory on the SwiftNIO Github project.
Again, we'd like to thank ZeddYu Lu for his prompt reporting of the issue to us.
And apologies for the delayed post in this category which happened because we were under the impression that we should get a specific CVE number for SwiftNIO instead of sharing the Node.js CVE. We were advised to re-use Node.js's CVE number because it's the same vulnerability in the same codebase.