We've just fixed a vulnerability in Vapor's URLEncodedFormDecoder where an attacker could send a nested request body causing a stack overflow crash leading to a Denial of Service attack. You can see more details in the blog post or on the security advisory on GitHub.
Thanks to @weissi for reporting!