CVE-2021-21328

Name of the Vulnerable Software and Affected Versions Vapor versions prior to 4.40.1

Description The issue allows for a Denial of Service (DoS) attack against Vapor applications that have a metrics backend enabled. An attacker can send unlimited requests with different paths to a Vapor instance, creating unlimited counters and timers that will eventually drain the system. Downstream services may also be affected as they could be spammed with error paths.

Recommendations For versions prior to 4.40.1, upgrade to version 4.40.1, where the DefaultResponder will rewrite any undefined route paths to vapor route undefined to avoid unlimited counters. As a temporary workaround, consider not bootstrapping a metrics system until the issue is resolved.