Skip to main content

SwiftNIO CVE-2026-28970

MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-12 https://github.com/apple/swift-nio GHSA-cq87-8r7h-962v
Share

Severity by source

vuln.today AI
5.4 MEDIUM

Network-reachable but requires attacker-controlled data in start line fields (AC:H, PR:N); scope changes to intermediaries via smuggling (S:C); no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 15:53 vuln.today
Analysis Generated
Jun 12, 2026 - 15:53 vuln.today

DescriptionCVE.org

Programs using swift-nio is vulnerable to HTTP request smuggling and HTTP response splitting attacks, caused by insufficient validation of outbound HTTP/1.1 request and response start line components.

This vulnerability affects all swift-nio versions from 2.0.0 to 2.99.0. It is fixed in 2.100.0 and later releases.

This vulnerability is caused by the NIOHTTPRequestHeadersValidator and NIOHTTPResponseHeadersValidator channel handlers only validating header field names and values, while leaving the request URI, request method, and response reason phrase unvalidated. An attacker who can influence the content of these fields - for example by controlling a URL path or a custom HTTP method in a proxy application - can inject CR/LF sequences or other control characters into the HTTP start line. This allows construction of arbitrary additional HTTP requests or responses on the wire, a classic HTTP request smuggling or HTTP response splitting attack.

Exploiting this vulnerability requires the attacker to influence the content of outbound HTTP start line fields. In proxy applications that forward attacker-controlled URIs or methods, this is straightforward. For clients, a malicious server that triggers a redirect to a crafted URL could exploit the URI validation gap. For servers, any client that can cause the server to emit a crafted response reason phrase could exploit the response splitting gap.

In vulnerable applications, where attacker controlled data is supplied to these fields, the attack is low-effort: injecting a CRLF sequence into a URI or reason phrase requires only a single crafted request. Successful exploitation can allow an attacker to smuggle additional HTTP requests past intermediaries or split HTTP responses, potentially bypassing WAFs or poisoning web caches. However, most applications are not vulnerable at all.

The risk can be mitigated by ensuring that all user-controlled input is sanitized before being used in HTTP start line components. However, this mitigation places the burden on application developers and is error-prone.

The issue is fixed by extending NIOHTTPRequestHeadersValidator to validate request URIs against the character set defined in RFC 9112 Section 3.2 and RFC 3986 Section 3, and to validate custom HTTP methods against the token grammar defined in RFC 9110. NIOHTTPResponseHeadersValidator is extended to validate custom response reason phrases against RFC 9112 Section 4. Applications that use these validator channel handlers - which are installed by default when using addHTTPClientHandlers() or addHTTPServerHandlers() - will reject invalid outbound messages with an HTTPParserError.invalidHeaderToken error rather than emitting them to the network.

SwiftNIO is grateful to @kuranikaran and @YLChen-007 for their reporting and assistance with the project's process.

AnalysisAI

CRLF injection in SwiftNIO's outbound HTTP/1.1 start line handling enables HTTP request smuggling and HTTP response splitting in applications built on swift-nio 2.0.0 through 2.99.0. The validators NIOHTTPRequestHeadersValidator and NIOHTTPResponseHeadersValidator enforce header field name and value correctness but leave the request URI, HTTP method, and response reason phrase unvalidated, allowing CR/LF sequences to be injected by any attacker who controls those fields. Successful exploitation can smuggle arbitrary HTTP requests past intermediaries, bypass WAF rules, or poison shared web caches. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, exploitation in vulnerable proxy deployments is described as low-effort by the advisory authors.

Technical ContextAI

SwiftNIO (pkg:swift/github.com_apple_swift-nio, versions 2.0.0-2.99.0) is Apple's non-blocking, event-driven networking framework for Swift. HTTP/1.1 request and response start lines consist of a method, URI, and HTTP version (requests) or status code and reason phrase (responses), separated by CRLF sequences as defined in RFC 9112. CWE-93 (Improper Neutralization of CRLF Sequences / CRLF Injection) describes the root cause: if a library emits unvalidated control characters into the wire format, an attacker who influences those values can terminate one logical message and inject a second. The two channel handlers responsible for outbound validation - NIOHTTPRequestHeadersValidator and NIOHTTPResponseHeadersValidator - were scoped only to header field names and values, leaving the URI (which must conform to RFC 3986 Section 3 and RFC 9112 Section 3.2), the HTTP method token (RFC 9110), and the response reason phrase (RFC 9112 Section 4) without any character-set enforcement. These handlers are installed automatically when an application calls addHTTPClientHandlers() or addHTTPServerHandlers().

RemediationAI

Vendor-released patch: swift-nio 2.100.0. Upgrading to 2.100.0 or any later release is the definitive fix; this version extends NIOHTTPRequestHeadersValidator to enforce RFC 9112 Section 3.2 and RFC 3986 Section 3 character sets on request URIs and RFC 9110 token grammar on custom HTTP methods, and extends NIOHTTPResponseHeadersValidator to enforce RFC 9112 Section 4 grammar on response reason phrases. After upgrading, applications will receive an HTTPParserError.invalidHeaderToken error when attempting to emit a non-conforming start line, preventing the malformed message from reaching the network. The upstream advisory is at https://github.com/apple/swift-nio/security/advisories/GHSA-cq87-8r7h-962v and the GitHub advisory mirror at https://github.com/advisories/GHSA-cq87-8r7h-962v. As a compensating control prior to patching, application developers can sanitize all user-controlled input by stripping or percent-encoding CR (0x0D) and LF (0x0A) characters before passing data to URI, method, or reason phrase fields; however, this approach is error-prone and places responsibility on each calling application rather than the framework layer, making it an unreliable long-term mitigation.

Share

CVE-2026-28970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy