Description
swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The swift‑nio‑http2 library did not validate pseudo‑header values before translating HTTP/2 frames into HTTP/1.1 messages, allowing carriage return, line feed, or NUL characters to be injected into the resulting HTTP/1.1 header set. This omission could enable an attacker to craft HTTP/2 requests or responses containing control characters that corrupt the downstream HTTP/1.1 parsing logic, potentially leading to header injection or response splitting attacks.

Affected Systems

Apple’s swift‑nio‑http2 library is affected. All versions prior to 1.44.1 expose the flaw; version 1.44.1 implements validation and rejects any pseudo‑header containing CR, LF, or NUL bytes with a connection error.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a network connection that speaks HTTP/2; an adversary could send malicious pseudo‑headers containing control characters to a vulnerable server or client, resulting in malformed HTTP/1.1 headers that may be interpreted as injection points. No public exploit is known, but the lack of validation presents a real risk if an attacker can influence pseudo‑headers.

Generated by OpenCVE AI on June 25, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade swift‑nio‑http2 to version 1.44.1 or later in all affected codebases
  • Disable HTTP/2 support or add strict header validation at the application boundary until the library upgrade can be applied
  • Notify development and operations teams about the vulnerability and monitor logs for connection errors or header validation failures

Generated by OpenCVE AI on June 25, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4px2-pw77-vc85 SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec
History

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Control Characters in HTTP/2 Pseudo-Headers Not Validated in swift-nio-http2

Thu, 25 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-25T19:28:38.970Z

Reserved: 2026-03-03T16:36:03.983Z

Link: CVE-2026-28898

cve-icon Vulnrichment

Updated: 2026-06-25T19:23:57.755Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output