Description
Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create unlimited counters and timers, which will eventually drain the system. 2. downstream services might suffer from this attack as well by being spammed with error paths. This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmc
Patch, Third Party Advisory x_refsource_misc
https://github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/vapor/vapor/releases/tag/4.40.1
Product x_refsource_misc
https://vapor.codes/
Scores
CVSS v3
5.3
EPSS
0.0044
EPSS Percentile
63.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-400
Status
published
Products (2)
SwiftURL/github.com/vapor/vapor
0 - 4.40.1SwiftURL
vapor_project/vapor
< 4.40.1
Published
Feb 26, 2021
Tracked Since
Feb 18, 2026