CVE-2022-3252

Name of the Vulnerable Software and Affected Versions SwiftNIO Extras (affected versions not specified)

Description The issue is related to improper detection of complete HTTP body decompression in SwiftNIO Extras. This can lead to an infinite loop and denial-of-service when trailing junk data is appended to the HTTP message body. The attack is low effort and can be triggered by any attacker capable of sending a compressed HTTP message, most commonly HTTP servers. The impact on availability is high, as the process immediately becomes unavailable but does not immediately crash. If left unchecked, this issue will very slowly exhaust memory resources due to repeated buffer allocation.

Recommendations As a temporary workaround, consider removing transparent HTTP message decompression to mitigate the risk. The issue is fixed by correctly detecting the termination of the compressed body as reported by zlib and refusing to decompress further data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.