Vapor URLEncodedFormDecoder Security Vulnerability

We've just released Vapor 4.61.1 which contains a fix for a security vulnerability in Vapor's URLEncodedFormDecoder. An attacker could crash a Vapor application by sending heavily nested data in a request body with a application/x-www-form-urlencoded Content-Type, leading to a Denial of Service attack. This has been designated as CVE-2022-31019.

→ blog.vapor.codes/posts/security-advisory-GHSA-qvxg-wjxc-r4gg/

Enjoyed this post?

Well, you could share the post with others, follow me with RSS Feeds, send me a comment via email, and/or leave a donation in the Tip Jar.

Tags