CVE Catalog

CVE-2026-28898

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

The HTTP/2-to-HTTP/1.1 codec in swift-nio-http2 did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. Version 1.44.1 adds validation of all pseudo-headers (:path, :authority, :scheme, :method, :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer, rejecting requests or responses containing CR, LF, or NUL bytes.

Risk Assessment

An attacker can inject control characters (CR, LF, NUL) into HTTP/2 pseudo-headers, potentially leading to HTTP request smuggling, cache poisoning, or other communication integrity violations.

Recommendation

Immediately update swift-nio-http2 to version 1.44.1 or later, which includes the necessary pseudo-header validation.

Original NVD description (English source)

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS