CVE-2023-44386

Incorrect request error handling triggers server crash in Vapor

Description

Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.05%
Third-Party Advisory github.com
Affected: vapor vapor
Published at:
Updated at:

References

Link Tags
https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm third party advisory
https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3 patch
https://github.com/vapor/vapor/releases/tag/4.84.2 release notes

Frequently Asked Questions

What is the severity of CVE-2023-44386?
CVE-2023-44386 has been scored as a medium severity vulnerability.
How to fix CVE-2023-44386?
To fix CVE-2023-44386, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-44386 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-44386 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-44386?
CVE-2023-44386 affects vapor vapor.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.