CVE-2022-1642

Name of the Vulnerable Software and Affected Versions Swift versions prior to 5.6.2 for Linux and Windows

Description A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This issue is caused by the interaction between the Swift standard library's Codable protocol and the JSONDecoder class. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value, producing a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation, making the attack low-effort. The attack does not have any confidentiality or integrity risks in and of itself, but unexpected crashes can lead to violations of invariants in services, potentially escalating the risk.

Recommendations To resolve the issue, update to Swift 5.6.2 for Linux and Windows, then recompile and redeploy the software. The new version of Swift includes an updated swift-corelibs-foundation package. As a temporary workaround, consider using JSON parsing directly, such as through the JSONSerialization class, rather than using the JSONDecoder class. Alternatively, ensure that fields intended to initialize Swift integer types use a JSON numeric constant without a fractional part to avoid the crash.