Apple · Swift · CVE-2022-1642
**Name of the Vulnerable Software and Affected Versions**
Swift versions prior to 5.6.2 for Linux and Windows
**Description**
A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This issue is caused by the interaction between the Swift standard library's Codable protocol and the JSONDecoder class. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value, producing a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation, making the attack low-effort. The attack does not have any confidentiality or integrity risks in and of itself, but unexpected crashes can lead to violations of invariants in services, potentially escalating the risk.
**Recommendations**
To resolve the issue, update to Swift 5.6.2 for Linux and Windows, then recompile and redeploy the software. The new version of Swift includes an updated swift-corelibs-foundation package. As a temporary workaround, consider using JSON parsing directly, such as through the JSONSerialization class, rather than using the JSONDecoder class. Alternatively, ensure that fields intended to initialize Swift integer types use a JSON numeric constant without a fractional part to avoid the crash.