Skip to main content

swift-nio-http2 CVE-2026-28898

| EUVDEUVD-2026-39533 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-06-12 https://github.com/apple/swift-nio-http2 GHSA-4px2-pw77-vc85
5.3
CVSS 3.1 · Vendor: https://github.com/apple/swift-nio-http2
Share

Severity by source

Vendor (https://github.com/apple/swift-nio-http2) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
9.3 CRITICAL

Network-exploitable with no auth; scope changes because CRLF injection lets smuggled requests reach and affect the HTTP/1.1 backend beyond the proxy boundary.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

Primary rating from Vendor (https://github.com/apple/swift-nio-http2).

CVSS VectorVendor: https://github.com/apple/swift-nio-http2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jun 25, 2026 - 21:03 EUVD
CVSS changed
Jun 25, 2026 - 20:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 12, 2026 - 15:55 vuln.today
Analysis Generated
Jun 12, 2026 - 15:55 vuln.today

DescriptionCVE.org

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec (HTTP2FramePayloadToHTTP1ServerCodec / HTTP2ToHTTP1ServerCodec) did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. A remote attacker could send an HTTP/2 request containing CR (\r), LF (\n), or NUL (\0) bytes in pseudo-header values such as :path, and when the server translated this to HTTP/1.1 - for example in a reverse-proxy configuration - the resulting output could contain injected headers or entirely smuggled requests.

This is an HTTP/2-to-HTTP/1.1 request smuggling vulnerability. HTTP/2's binary framing means that CRLF bytes are never parsed as line terminators at the HTTP/2 layer, so they pass through transparently to the HTTP/1.1 output. Any swift-nio-http2 server that translates HTTP/2 requests to HTTP/1.1 and forwards them to a backend is affected. Server-side Swift frameworks such as Vapor that use this codec in a reverse-proxy pattern are directly affected.

This vulnerability is related to https://github.com/advisories/GHSA-7fj7-39wj-c64f in swift-nio, which addressed CRLF injection in HTTP/1.1 header values but did not cover pseudo-header values in the HTTP/2 layer.

This vulnerability is also related to https://github.com/advisories/GHSA-cq87-8r7h-962v in swift-nio, which addressed CRLF injection in HTTP/1.1 version, method and path.

swift-nio-http2 1.44.0 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error.

SwiftNIO recommends all adopters upgrade to 1.44.0 as soon as possible.

SwiftNIO thanks @kuranikaran for filing this issue and the support in fixing it.

AnalysisAI

HTTP/2-to-HTTP/1.1 request smuggling in swift-nio-http2 (versions prior to 1.44.1) allows unauthenticated remote attackers to inject arbitrary HTTP headers or smuggle entire requests to backend systems in reverse-proxy configurations. The codecs HTTP2FramePayloadToHTTP1ServerCodec and HTTP2ToHTTP1ServerCodec fail to strip CR, LF, or NUL control characters from HTTP/2 pseudo-header values such as :path and :authority before writing them into the HTTP/1.1 output, enabling the binary-safe HTTP/2 layer to act as a covert channel for control characters that become structural delimiters in HTTP/1.1. No public exploit has been identified at time of analysis, but this vulnerability is a direct extension of two prior confirmed CRLF injection flaws in the same library family (GHSA-7fj7-39wj-c64f and GHSA-cq87-8r7h-962v), indicating a recurring pattern that lowers the technical barrier for exploitation.

Technical ContextAI

The affected package is pkg:swift/github.com_apple_swift-nio-http2, Apple's Swift implementation of HTTP/2 built on the SwiftNIO non-blocking I/O event loop. The two vulnerable codecs, HTTP2FramePayloadToHTTP1ServerCodec and HTTP2ToHTTP1ServerCodec, handle the translation layer between HTTP/2 binary frames and HTTP/1.1 text-based messages used by downstream backends. The root cause is CWE-444 (Inconsistent Interpretation of HTTP Requests - HTTP Request Smuggling): HTTP/2 uses HPACK binary encoding and binary framing where CRLF bytes carry no structural meaning at the framing layer, so they are treated as opaque data. However, when the codec writes these bytes verbatim into HTTP/1.1 header fields or the request line, CR and LF become structural delimiters that the backend HTTP/1.1 parser interprets as header terminators or line boundaries, creating the smuggling primitive. The five affected pseudo-headers are :path, :authority, :scheme, :method, and :status. Prior advisories GHSA-7fj7-39wj-c64f (HTTP/1.1 header value CRLF injection) and GHSA-cq87-8r7h-962v (method, path, and version CRLF injection) addressed adjacent attack surfaces in swift-nio but left pseudo-header translation unguarded.

RemediationAI

Upgrade swift-nio-http2 to version 1.44.1 as recommended by the vendor - the CPE package data specifies 1.44.1 as the fixed version, though the advisory text references 1.44.0 as the version introducing the fix; consult the upstream advisory at https://github.com/apple/swift-nio-http2/security/advisories/GHSA-4px2-pw77-vc85 to confirm the canonical release. The fix adds validation of all pseudo-header values (:path, :authority, :scheme, :method, :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer, rejecting connections that carry CR, LF, or NUL bytes with a connection error. If an immediate upgrade is not feasible, a compensating control is to deploy a validating HTTP/2 termination proxy such as Envoy or nginx (with strict header validation enabled) in front of the swift-nio-http2 endpoint to reject requests containing control characters in pseudo-header values; this introduces an additional hop and a dependency on the proxy's own validation correctness. Swift server deployments not performing HTTP/2-to-HTTP/1.1 forwarding are not exploitable but should upgrade regardless to eliminate the vulnerability class.

Share

CVE-2026-28898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy