CVE-2022-0618

Name of the Vulnerable Software and Affected Versions swift-nio-http2 versions 1.0.0 through 1.19.2

Description A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSH PROMISE frame where the frame contains padding information without any other data. The attack is low-effort and has a high impact on availability, as receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. The attack does not have any confidentiality or integrity risks in and of itself, but sudden process crashes can lead to violations of invariants in services, potentially triggering an error condition with confidentiality or integrity risks.

Recommendations For versions 1.0.0 through 1.19.2, update to version 1.20.0 or later to fix the issue. As a temporary workaround, consider restricting access to untrusted peers to minimize the risk of exploitation.