Vapor
CVE-2021-32742
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the Data.init(base32Encoded:) function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies. The vulnerability is patched in version 4.47.2. As a workaround, one may use an alternative to Vapor's built-in Data.init(base32Encoded:).
AnalysisAI
Vapor is a web framework for Swift. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the Data.init(base32Encoded:) function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies. The vulnerability is patched in version 4.47.2. As a workaround, one may use an alternative to Vapor's built-in Data.init(base32Encoded:). Affected products include: Vapor Project Vapor. Version information: version 4.47.2..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.
Vapor is a server-side Swift HTTP web framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita
Vapor is an HTTP web framework for Swift. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
Vapor is a web framework for Swift. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low at
Vapor is an HTTP web framework for Swift. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,
Vapor is a web framework for Swift. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no aut
Vapor is an HTTP web framework for Swift. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today