Linux Swift has a security vulnerability

The security weakness of Linux Swift stems from the potential to nest malicious material in the json input.

Tuesday, November 3, 2020, 12:22 GMT

In Swift version 5.1.5 for Linux, the bug is: JSONSerialization: Limit recursion when parsing.

Foundation’s JSONSerialization in Swift for Linux before 5.1.5 is vulnerable to a denial-of-service attack when parsing JSON. An attacker that can provide JSON input parsed using JSONSerialization (or JSONDecoder) can force JSONSerialization into arbitrarily deep recursion which can then lead to a stack overflow, crashing the process.

All versions of Swift for Linux up to and including 5.1.4 are affected by this issue.

Please make sure you quickly upgrade to Swift 5.1.5 either by downloading one of the available packages at swift.org/download/#releases 2 or by using the latest docker images.

Solution:

Update Swift to any version up to 5.1.5.

References: