CVE-2021-21328: Vapor's Metrics integration could cause a system drain

June 9, 2023

This is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app with the following attack vector:

send unlimited requests against a vapor instance with different paths. this will create “unlimited” counters and timers, which will eventually drain the system.
downstream services might suffer from this attack as well by being spammed with error paths

References

github.com/advisories/GHSA-gcj9-jj38-hwmc
github.com/vapor/vapor
github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23
github.com/vapor/vapor/releases/tag/4.40.1
github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmc
nvd.nist.gov/vuln/detail/CVE-2021-21328
vapor.codes/

Detect and mitigate CVE-2021-21328 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →