CVE-2021-32742: Untrusted data fed into `Data.init(base32Encoded:)` can result in exposing server memory and/or crash

June 9, 2023

A bug in the Data.init(base32Encoded:) function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies.

References

github.com/advisories/GHSA-pqwh-c2f3-vxmq
github.com/vapor/vapor
github.com/vapor/vapor/releases/tag/4.47.2
github.com/vapor/vapor/security/advisories/GHSA-pqwh-c2f3-vxmq
nvd.nist.gov/vuln/detail/CVE-2021-32742

Detect and mitigate CVE-2021-32742 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →