CVE-2026-28898 – swift-nio-http2 HTTP/2 to HTTP/1.1 Codec Control Character Header Injection

CVE ID :CVE-2026-28898

Published : June 25, 2026, 6:36 p.m. | 1 hour, 8 minutes ago

Description :swift-nio-http2’s HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…