CVE-2021-32742

Name of the Vulnerable Software and Affected Versions Vapor versions 4.47.1 and prior

Description A bug in the Data.init(base32Encoded:) function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself, so this only impacts applications that use the impacted function directly or through other dependencies.

Recommendations For versions 4.47.1 and prior, update to version 4.47.2 to resolve the issue. As a temporary workaround, consider using an alternative to Vapor's built-in Data.init(base32Encoded:) function until the patch is applied.