GHSA-RJ37-6J9X-74Q6 SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS

Summary The HTTPDecoder in NIOHTTP1 enforces no limit on the total size of an HTTP/1 message's header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all accumulated into the resulting...

SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec HTTP2FramePayloadToHTTP1ServerCodec / HTTP2ToHTTP1ServerCodec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. A remote attacker could send an HTTP/2 request containing CR \r, LF \n, o...

Improper Encoding or Escaping of Output

Overview vapor/leaf-kit is an an expressive, performant, and extensible templating language built for Swift. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the htmlEscaped process. An attacker can inject and execute arbitrary scripts in the context ...

leafkit 安全漏洞

Leafkit is an open-source application developed by Vapor. It uses Swift to create modular server-side software. Versions of Leafkit prior to 1.4.1 contained security vulnerabilities. These vulnerabilities stemmed from the fact that htmlEscaped only matched extended character clusters, which could...

EUVD-2023-1872

Malicious code in bioql PyPI...

EUVD-2023-1889

Malicious code in bioql PyPI...

EUVD-2023-1891

Malicious code in bioql PyPI...

EUVD-2023-1801

Malicious code in bioql PyPI...

EUVD-2023-1859

Malicious code in bioql PyPI...

EUVD-2024-0412

Malicious code in bioql PyPI...

EUVD-2023-2631

Malicious code in bioql PyPI...

MAL-2025-9047 Malicious code in @malware-test-vapor-masty-zeros-matte/test-mlw3-vapor-masty-zeros-matte (npm)

The package @malware-test-vapor-masty-zeros-matte/test-mlw3-vapor-masty-zeros-matte was found to contain malicious code...

Malicious code in @malware-test-musty-meats-dated-vapor/test-mlw3-musty-meats-dated-vapor (npm)

The package @malware-test-musty-meats-dated-vapor/test-mlw3-musty-meats-dated-vapor was found to contain malicious code...

Malicious code in @malware-test-vapor-masty-zeros-matte/test-mlw3-vapor-masty-zeros-matte (npm)

The package @malware-test-vapor-masty-zeros-matte/test-mlw3-vapor-masty-zeros-matte was found to contain malicious code...

MAL-2025-8801 Malicious code in @malware-test-musty-meats-dated-vapor/test-mlw3-musty-meats-dated-vapor (npm)

The package @malware-test-musty-meats-dated-vapor/test-mlw3-musty-meats-dated-vapor was found to contain malicious code...

CVE-2024-21631

Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vapor's vaporurlparserparse function uses uint16t indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly but could impact...

CVE-2021-32742

Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the Data.initbase32Encoded: function opens up the potential for exposing server memory and/or crashing the server Denial of Service for applications where untrusted data can end up in said function. Vapor does not currently...

CVE-2021-21328

Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create unlimited...

CVE-2022-31005

Vapor is an HTTP web framework for Swift. Users of Vapor prior to version 4.60.3 with FileMiddleware enabled are vulnerable to an integer overflow vulnerability that can crash the application. Version 4.60.3 contains a patch for this issue. As a workaround, disable FileMiddleware and serve via a...

CVE-2022-31019

Vapor is a server-side Swift HTTP web framework. When using automatic content decoding an attacker can craft a request body that can make the server crash with the following request: curl -d "array00array00array$for f in $seq 1100; do echo -n '00array'; donestring0=hello%20world"...