We've just fixed a vulnerability in Vapor's URI parsing that could lead to potential host spoofing if users try and parse untrusted input. You can see more details in the blog post or on the security advisory on GitHub.
Thanks to baarde for reporting!