CVE-2021-21328

Name: CVE-2021-21328
Creator: NVD / NIST
Published: 2021-02-26T02:15:12.713+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 1.63%

Last modified Jun 17, 2026

CVE-2021-21328 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. EPSS estimates a 1.63% chance of exploitation in the next 30 days.

Description

Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create unlimited counters and timers, which will eventually drain the system. 2. downstream services might suffer from this attack as well by being spammed with error paths. This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Probability

1.63%

73.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-400

Affected Software

Vendor	Product	Versions
Vapor Project	Vapor	< 4.40.1

References

https://github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23Patch, Third Party Advisory
https://github.com/vapor/vapor/releases/tag/4.40.1Release Notes, Third Party Advisory
https://github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmcThird Party Advisory
https://vapor.codes/Product
https://github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23Patch, Third Party Advisory
https://github.com/vapor/vapor/releases/tag/4.40.1Release Notes, Third Party Advisory
https://github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmcThird Party Advisory
https://vapor.codes/Product

Timeline

Published: Feb 26, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-21328?

How severe is CVE-2021-21328?

CVE-2021-21328 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 1.63% probability of exploitation in the next 30 days.

How do I fix CVE-2021-21328?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-21328?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST