Technologyglobal✓ verified · 90%

SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS

Name: SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS
Start: 2026-06-12T15:07:53Z
Location: Global (internet)

When: 2026-06-12 15:07 UTC
Where: Global (internet)
Category: cyber_advisory · swift

### Summary The `HTTPDecoder` in `NIOHTTP1` enforces no limit on the total size of an HTTP/1 message's header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all accumulated into the resulting `HTTPHeaders` value before any application code runs. This can be used to exhaust memory, or — for consumers that subsequently convert headers into `swift-http-types`' `HTTPFields` — to crash the process. ### Details `HTTPDecoder` previously enforced only a single hardcoded parsing limit: 80 KB per individual header field (name + value). There was no cap on the cumulative size of the header block, nor on the number of header fields per message. Because each individual field can remain well below the 80 KB threshold, a peer can submit hundreds of thousands of valid headers in a single request, all of which are appended to the decoded `HTTPHeaders` without bound. The headers are then visible to user code through the standard `HTTPServerRequestPart.head` / `HTTPClientResponsePart.head` events. Two observed downstream effects: - **Hummingbird 2** (and other consumers that bridge `HTTPHeaders` into `swift-http-types`' `HTTPFields`) crashes via a precondition failure inside `HTTPFields` once the configured field count is exceeded. - **Vapor 4** does not crash, but the per-request memory footprint scales linearly with the number of headers received, allowing a single connection to inflate server memory use substantially. ### Impact A single unauthenticated remote peer can trigger a denial of service against any HTTP/1 server (or, in the response direction, any HTTP/1 client) built on `NIOHTTP1` — either by crashing the process, depending on the downstream framework, or by driving the process's resident memory to arbitrary sizes. ### Patches This issue is addressed in `swift-nio` 2.100.0 and later. The `HTTPDecoder` now applies three parsing limits with conservative defaults, exposed through the new `NIOHTTPDecoderLimitConfiguration` type: | Limit | Default | | --- | --- | | `maxHeaderFieldSize` | 80 KB | | `maxHeaderListSize` | 2 MB | | `maxHeaderFieldCount` | 256 | Exceeding any of these limits causes the decoder to fail with `HTTPParserError.headerOverflow`. The configuration can be supplied directly to `HTTPRequestDecoder` / `HTTPResponseDecoder`, or via the `decoderConfiguration` property on `NIOUpgradableHTTPServerPipelineConfiguration` and `NIOUpgradableHTTPClientPipelineConfiguration`. Users who require larger limits — for example, applications that legitimately exchange very large header blocks — can opt into them explicitly by constructing a custom `NIOHTTPDecoderLimitConfiguration`. ### Workarounds Users unable to upgrade can mitigate by placing a reverse proxy in front of the service that enforces equivalent limits on request header count and total header size. ### Credit This issue was reported by @Joannis. SwiftNIO thanks @Joannis for the report and the support in landing the fix.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-12 15:07 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map