CVE-2022-31005

Integer Overflow in Vapor's HTTP Range Request

CVSS 7.5 HIGHEPSS 1.9%CWE-190

In short

Vapor web framework versions before 4.60.3 contain an integer overflow bug in FileMiddleware that allows attackers to crash the application by sending specially crafted HTTP range requests. This vulnerability affects any Vapor application using FileMiddleware to serve files.

Technical detail

An integer overflow in Vapor's FileMiddleware HTTP range request handler (CWE-190) allows remote attackers to trigger a denial-of-service condition by sending malformed range headers that cause arithmetic overflow during request processing. The vulnerability requires FileMiddleware to be enabled and affects versions prior to 4.60.3; exploitation results in application crash without authentication.

Summary generated and translated by AI from the official description.

Vapor is an HTTP web framework for Swift. Users of Vapor prior to version 4.60.3 with FileMiddleware enabled are vulnerable to an integer overflow vulnerability that can crash the application. Version 4.60.3 contains a patch for this issue. As a workaround, disable FileMiddleware and serve via a Content Delivery Network.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

vapor · vapor

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vapor/vapor/commit/953a349b539b3e0d3653585c8ffb50c427986df1 https://github.com/vapor/vapor/releases/tag/4.60.3 https://github.com/vapor/vapor/security/advisories/GHSA-vj2m-9f5j-mpr5