GHSA-mgc4-wqv7-4pxm

Suggest an improvement
Source
https://github.com/advisories/GHSA-mgc4-wqv7-4pxm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-mgc4-wqv7-4pxm/GHSA-mgc4-wqv7-4pxm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mgc4-wqv7-4pxm
Published
2023-05-18T17:29:43Z
Modified
2023-05-18T17:29:43Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
SwiftNIO vulnerable to HTTP request smuggling using malformed Transfer-Encoding header
Details

Impact

Affected SwiftNIO systems are vulnerable to request smuggling attacks, in which they parse a given HTTP message differently from other network parties, potentially seeing a different number of requests than other servers. This can lead to failures of authentication, routing, and other issues.

This vulnerability can be found in the bundled copy of the Node.JS HTTP parser used in the NIOHTTP1 module.

Workarounds

No workaround is available, users must upgrade.

References

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/#http-request-smuggling-using-malformed-transfer-encoding-header-critical-cve-2019-15605

References

Affected packages

SwiftURL / github.com/apple/swift-nio

Package

Name
github.com/apple/swift-nio

Affected ranges

Type
SEMVER
Events
Introduced
1.0.0
Fixed
1.14.2

SwiftURL / github.com/apple/swift-nio

Package

Name
github.com/apple/swift-nio

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.13.1