SwiftNIO Extras in the version range 1.3.0 ... 1.4.0 is affected by a Denial of Service security vulnerability if the NIOHTTPCompression
component. Specifically, the NIOHTTPRequest/ResponseDecompressor
handlers when used with the .size(...)
decompression limit. The vulnerability has been fixed in SwiftNIO Extras 1.4.1.
So please make sure to update your dependency to 1.4.1 or newer. For example:
.package(url: "https://github.com/apple/swift-nio-extras.git", from: "1.4.1")
For more details about the vulnerability see:
- The SwiftNIO Extras security advisory on Github.
- CVE-2020-9840
Many thanks to @adtrevor for the report of this security vulnerability.