This is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app with the following attack vector:
This has been patched in 4.40.1. The DefaultResponder
will rewrite any undefined route paths for to vapor_route_undefined
to avoid unlimited counters.
Don't bootstrap a metrics system or upgrade to 4.40.1
If you have any questions or comments about this advisory: * Open an issue in Vapor * Ask in Discord