CVE-2022-24667

Name of the Vulnerable Software and Affected Versions swift-nio-http2 versions 1.0.0 through 1.19.1

Description A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects swift-nio-http2 and can be triggered by sending a malicious HPACK header block on any of the HPACK-carrying frames in a HTTP/2 connection, such as HEADERS and PUSH PROMISE, at any position. The attack is low-effort and can be repeated to achieve a substantial denial of service, causing the server to crash and drop all in-flight connections. Although the attack itself does not have confidentiality or integrity risks, sudden process crashes can lead to violations of invariants in services, potentially triggering error conditions with such risks.

Recommendations For swift-nio-http2 versions 1.0.0 through 1.19.1, update to version 1.19.2 or later to fix the issue. As a temporary workaround, consider restricting access to untrusted peers to mitigate the risk of denial of service attacks.