In Vapor version's before 4.40.1, there was a vulnerability in Vapor's Swift Metrics integration. An attacker could send multiple requests to bad routes which would create multiple counters and timers. This could potentially drain the system as well as affecting downstream systems.
You should upgrade to 4.40.1 if you're bootstrapping a metrics system.
Details can be found on GitHub under Vapor's security advisories. A CVE has been requested and will be added here once issued.