Untrusted data fed into `Data.init(base32Encoded:)` can result in exposing server memory and/or crash

Vulnerability

A bug exists in the Data.init(base32Encoded:) function of Vapor, a server-side Swift web framework, in versions 4.47.1 and prior [1][4]. The flaw can lead to exposure of server memory or cause a denial of service (crash) if untrusted data is passed to this function. Vapor itself does not call this function internally, so the vulnerability only affects applications that directly use Data.init(base32Encoded:) or rely on dependencies that do [1][4].

Exploitation

An attacker would need to supply crafted base32-encoded data to an application that invokes the vulnerable Data.init(base32Encoded:) function [1][4]. No special network position or authentication is required beyond the ability to deliver the malicious input to the affected function. The exact exploitation steps are not publicly detailed, but the bug is triggered by decoding malformed base32 strings [1].

Impact

Successful exploitation can result in exposure of sensitive server memory or cause the server process to crash (denial of service) [1][4]. The impact depends on how the application uses the function; memory disclosure may leak confidential data, while crashes disrupt availability. The attacker does not gain code execution or elevated privileges from this vulnerability alone.

Mitigation

The vulnerability is patched in Vapor version 4.47.2, released on July 9, 2021 [1][2][4]. As a workaround, applications can avoid using Vapor's built-in Data.init(base32Encoded:) and use an alternative base32 decoding implementation [1][4]. No other workarounds are documented. The CVE is not listed on the CISA Known Exploited Vulnerabilities catalog as of this writing.