CVE-2022-24666

Name of the Vulnerable Software and Affected Versions swift-nio-http2 versions 1.0.0 through 1.19.1

Description A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data, leading to a parsing error that immediately crashes the entire process. The attack is low-effort and has a high impact on availability, as receiving the frame crashes the server and causes the service to need to restart. The attack does not have any confidentiality or integrity risks in and of itself, but sudden process crashes can lead to violations of invariants in services, potentially triggering an error condition with confidentiality or integrity risks.

Recommendations For versions 1.0.0 through 1.19.1, update to version 1.19.2 or later to fix the issue. As a temporary workaround, consider restricting access to untrusted peers to minimize the risk of exploitation.