You may have seen discussion of VU#421644 floating around. This is a quick note to say that swift-nio-http2 is considered to be not vulnerable to this issue. We police inbound header list sizes before decoding, don't do incremental header decode, and incrementally police the list size when we do decode. As a result, it is not possible to obtain huge state commitments from NIOHTTP2 with this attack.
9 Likes