CVE-2022-24668

Name of the Vulnerable Software and Affected Versions swift-nio-http2 versions 1.0.0 through 1.19.1

Description A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack is caused by a logical error after frame parsing but before frame handling. ORIGIN and ALTSVC frames are not currently supported by swift-nio-http2 and should be ignored. However, one code path that encounters them has a deliberate trap instead. Sending an ALTSVC or ORIGIN frame does not require any special permission, so any HTTP/2 connection peer may send such a frame. The attack is low-effort and has a high impact on availability, as receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. The attack does not have any confidentiality or integrity risks in and of itself, but sudden process crashes can lead to violations of invariants in services, potentially triggering an error condition with confidentiality or integrity risks.

Recommendations For versions 1.0.0 through 1.19.1, update to version 1.19.2 or later to fix the issue. As a temporary workaround, consider restricting access to untrusted peers to minimize the risk of exploitation.