Lukasapublished

**Name of the Vulnerable Software and Affected Versions** swift-nio-http2 versions 1.0.0 through 1.19.2 **Description** A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH PROMISE frame where the frame contains padding information without any other data. The attack is low-effort and has a high impact on availability, as receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. The attack does not have any confidentiality or integrity risks in and of itself, but sudden process crashes can lead to violations of invariants in services, potentially triggering an error condition with confidentiality or integrity risks. **Recommendations** For versions 1.0.0 through 1.19.2, update to version 1.20.0 or later to fix the issue. As a temporary workaround, consider restricting access to untrusted peers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** swift-nio-http2 versions 1.0.0 through 1.19.1 **Description** A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects swift-nio-http2 and can be triggered by sending a malicious HPACK header block on any of the HPACK-carrying frames in a HTTP/2 connection, such as `HEADERS` and `PUSH PROMISE`, at any position. The attack is low-effort and can be repeated to achieve a substantial denial of service, causing the server to crash and drop all in-flight connections. Although the attack itself does not have confidentiality or integrity risks, sudden process crashes can lead to violations of invariants in services, potentially triggering error conditions with such risks. **Recommendations** For swift-nio-http2 versions 1.0.0 through 1.19.1, update to version 1.19.2 or later to fix the issue. As a temporary workaround, consider restricting access to untrusted peers to mitigate the risk of denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** swift-nio-http2 versions 1.0.0 through 1.19.1 **Description** A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2 and should be ignored. However, one code path that encounters them has a deliberate trap instead. Sending an ALTSVC or ORIGIN frame does not require any special permission, so any HTTP/2 connection peer may send such a frame. The attack is low-effort and has a high impact on availability, as receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. The attack does not have any confidentiality or integrity risks in and of itself, but sudden process crashes can lead to violations of invariants in services, potentially triggering an error condition with confidentiality or integrity risks. **Recommendations** For versions 1.0.0 through 1.19.1, update to version 1.19.2 or later to fix the issue. As a temporary workaround, consider restricting access to untrusted peers to minimize the risk of exploitation.