Vapor 4.40.1: Denial Of Service Vulnerability in the metrics integration

In Vapor version's before 4.40.1, there was a vulnerability in Vapor's Swift Metrics integration. An attacker could send multiple requests to bad routes which would create multiple counters and timers. This could potentially drain the system as well as affecting downstream systems.

You should upgrade to 4.40.1 if you're bootstrapping a metrics system.

Details can be found on GitHub under Vapor's security advisories. A CVE has been requested and will be added here once issued.

6 Likes

CVE-2021-21328 has now been issued

3 Likes
Terms of Service

Privacy Policy

Cookie Policy