Hello all! Please be aware that today we shipped two SwiftNIO security releases: 2.13.1 and 1.14.2. Both of these releases contain the same fix: a patch for NodeJS CVE-2019-15605, brought forward into our local copy of http-parser. This vulnerability allowed a HTTP request smuggling attack on SwiftNIO servers, in which a SwiftNIO server would incorrectly parse a HTTP/1.1 message in a way that could open up SwiftNIO-based servers to attack.
As this issue is already public knowledge as part of Node.JS, we have elected to immediately ship a security fix rather than wait for a SwiftNIO-specific CVE. However, one should be forthcoming in the future. For now, it is appropriate to consider this equivalent to CVE-2019-15605.
Note that Node.JS was vulnerable to another HTTP issue. SwiftNIO has been validated not to be at risk of the same issue.
We'd like to thank ZeddYu Lu for his prompt reporting of the issue to us.