swift-nio-http2 package, versions <1.38.0

Q: How to fix?

Upgrade apple/swift-nio-http2 to version 1.38.0 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-SWIFT-APPLESWIFTNIOHTTP2-11958969
published18 Aug 2025
disclosed13 Aug 2025
creditGal Bar Nahum, AnatBB, YanivRL

Report a new vulnerability Found a mistake?

Introduced: 13 Aug 2025

NewCWE-405 (opens in a new tab)

How to fix?

Upgrade apple/swift-nio-http2 to version 1.38.0 or higher.

Overview

apple/swift-nio-http2 is a HTTP/2 support for SwiftNIO.

Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) due to the handling of HTTP/2 connections. An attacker can cause resource exhaustion by interleaving malicious traffic with legitimate traffic to evade existing prevention mechanisms.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None