Vapor URI Parsing Security Vulnerability

We've just released Vapor 4.90.0 which contains a fix for a security vulnerability in Vapor's URI parsing. Due to the use of uint16_t indexes, it was possible to cause an integer overflow in the parser which could result in potential host spoofing. This doesn't affect Vapor applications directly but could affect users parsing untrusted input as a URI. This has been designated as CVE-2024-21631.

→ blog.vapor.codes/posts/security-advisory-GHSA-r6r4-5pr8-gjcp/