Search criteria
3 vulnerabilities found for gun by ninenines
CVE-2026-43973 (GCVE-0-2026-43973)
Vulnerability from cvelistv5 – Published: 2026-06-08 14:12 – Updated: 2026-06-08 16:35
VLAI?
Title
gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion
Summary
Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering.
In gun_http:handle/5, three clauses accumulate incoming TCP data into the connection's buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \r\n\r\n header terminator is found; the body_chunked clause appends data whenever cow_http_te:stream_chunked/2 returns a more result indicating an incomplete chunk boundary; and the body_trailer clause appends data until the trailing \r\n\r\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size.
A malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\r\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash.
This issue affects gun: from 1.0.0 before 2.4.0.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
Credits
Peter Ullrich
Loïc Hoguin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43973",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:48:05.292583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:48:12.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http"
],
"packageName": "gun",
"packageURL": "pkg:hex/gun",
"product": "gun",
"programFiles": [
"src/gun_http.erl"
],
"programRoutines": [
{
"name": "gun_http:handle/5"
}
],
"repo": "https://github.com/ninenines/gun",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http"
],
"packageName": "ninenines/gun",
"packageURL": "pkg:github/ninenines/gun",
"product": "gun",
"programFiles": [
"src/gun_http.erl"
],
"programRoutines": [
{
"name": "gun_http:handle/5"
}
],
"repo": "https://github.com/ninenines/gun.git",
"vendor": "ninenines",
"versions": [
{
"lessThan": "f3e7e0568b3c4cf9fa4bea79d5116e67ce76ad25",
"status": "affected",
"version": "11dfe71f4b9aedaaedea2ad3b2f32fd006a8480f",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Resource Consumption vulnerability in ninenines gun (\u003ctt\u003egun_http\u003c/tt\u003e module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering.\u003cp\u003eIn \u003ctt\u003egun_http:handle/5\u003c/tt\u003e, three clauses accumulate incoming TCP data into the connection\u0027s \u003ctt\u003ebuffer\u003c/tt\u003e field using binary concatenation with no upper-bound check: the \u003ctt\u003ehead\u003c/tt\u003e clause appends data until the \u003ctt\u003e\\r\\n\\r\\n\u003c/tt\u003e header terminator is found; the \u003ctt\u003ebody_chunked\u003c/tt\u003e clause appends data whenever \u003ctt\u003ecow_http_te:stream_chunked/2\u003c/tt\u003e returns a \u003ctt\u003emore\u003c/tt\u003e result indicating an incomplete chunk boundary; and the \u003ctt\u003ebody_trailer\u003c/tt\u003e clause appends data until the trailing \u003ctt\u003e\\r\\n\\r\\n\u003c/tt\u003e is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size.\u003c/p\u003e\u003cp\u003eA malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with \u003ctt\u003eHTTP/1.1 200 OK\\r\\nX-Pad: \u003c/tt\u003e followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash.\u003c/p\u003e\u003cp\u003eThis issue affects gun: from 1.0.0 before 2.4.0.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering.\n\nIn gun_http:handle/5, three clauses accumulate incoming TCP data into the connection\u0027s buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \\r\\n\\r\\n header terminator is found; the body_chunked clause appends data whenever cow_http_te:stream_chunked/2 returns a more result indicating an incomplete chunk boundary; and the body_trailer clause appends data until the trailing \\r\\n\\r\\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size.\n\nA malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\\r\\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash.\n\nThis issue affects gun: from 1.0.0 before 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:35:01.405Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43973.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43973"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/gun/commit/f3e7e0568b3c4cf9fa4bea79d5116e67ce76ad25"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43973",
"datePublished": "2026-06-08T14:12:42.128Z",
"dateReserved": "2026-05-04T18:23:25.574Z",
"dateUpdated": "2026-06-08T16:35:01.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43972 (GCVE-0-2026-43972)
Vulnerability from cvelistv5 – Published: 2026-06-08 14:12 – Updated: 2026-06-08 16:34
VLAI?
Title
gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection
Summary
Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority.
In gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.
A malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.
This issue affects gun: from 2.0.0 before 2.4.0.
Severity ?
CWE
- CWE-346 - Origin Validation Error
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
Credits
Peter Ullrich
Loïc Hoguin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:42:59.352280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:43:06.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http2"
],
"packageName": "gun",
"packageURL": "pkg:hex/gun",
"product": "gun",
"programFiles": [
"src/gun_http2.erl"
],
"programRoutines": [
{
"name": "gun_http2:push_promise_frame/7"
},
{
"name": "gun_http2:headers_frame/9"
}
],
"repo": "https://github.com/ninenines/gun",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http2"
],
"packageName": "ninenines/gun",
"packageURL": "pkg:github/ninenines/gun",
"product": "gun",
"programFiles": [
"src/gun_http2.erl"
],
"programRoutines": [
{
"name": "gun_http2:push_promise_frame/7"
},
{
"name": "gun_http2:headers_frame/9"
}
],
"repo": "https://github.com/ninenines/gun.git",
"vendor": "ninenines",
"versions": [
{
"lessThan": "567863ff53802fed21c3b3f25812db7f7ae29676",
"status": "affected",
"version": "871989eef53663285c165fdfb83a5918ebe00d41",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerability is exploitable only when gun is configured with a \u003ctt\u003ecookie_store\u003c/tt\u003e and connects to an HTTP/2 server with server push enabled.\u003c/p\u003e"
}
],
"value": "The vulnerability is exploitable only when gun is configured with a cookie_store and connects to an HTTP/2 server with server push enabled."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Origin Validation Error vulnerability in ninenines gun (\u003ctt\u003egun_http2\u003c/tt\u003e module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority.\u003cp\u003eIn \u003ctt\u003egun_http2:push_promise_frame/7\u003c/tt\u003e, the \u003ctt\u003e:authority\u003c/tt\u003e pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection\u0027s origin. When \u003ctt\u003egun_http2:headers_frame/9\u003c/tt\u003e later processes the response headers for the promised stream, it calls \u003ctt\u003egun_cookies:set_cookie_header/7\u003c/tt\u003e with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 \u00a710.6 / RFC 9113 \u00a78.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.\u003c/p\u003e\u003cp\u003eA malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client\u0027s shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.\u003c/p\u003e\u003cp\u003eThis issue affects gun: from 2.0.0 before 2.4.0.\u003c/p\u003e"
}
],
"value": "Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority.\n\nIn gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection\u0027s origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 \u00a710.6 / RFC 9113 \u00a78.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.\n\nA malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client\u0027s shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.\n\nThis issue affects gun: from 2.0.0 before 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:34:45.350Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43972.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43972"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/gun/commit/567863ff53802fed21c3b3f25812db7f7ae29676"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43972",
"datePublished": "2026-06-08T14:12:38.780Z",
"dateReserved": "2026-05-04T18:23:25.574Z",
"dateUpdated": "2026-06-08T16:34:45.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43974 (GCVE-0-2026-43974)
Vulnerability from cvelistv5 – Published: 2026-06-08 14:12 – Updated: 2026-06-08 16:34
VLAI?
Title
gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM
Summary
Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.
In gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode.
A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.
This issue affects gun: from 2.0.0 before 2.4.0.
Severity ?
CWE
- CWE-841 - Improper Enforcement of Behavioral Workflow
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
Credits
Peter Ullrich
Loïc Hoguin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43974",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:41:42.657559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:41:49.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http"
],
"packageName": "gun",
"packageURL": "pkg:hex/gun",
"product": "gun",
"programFiles": [
"src/gun_http.erl"
],
"programRoutines": [
{
"name": "gun_http:handle_inform/8"
}
],
"repo": "https://github.com/ninenines/gun",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http"
],
"packageName": "ninenines/gun",
"packageURL": "pkg:github/ninenines/gun",
"product": "gun",
"programFiles": [
"src/gun_http.erl"
],
"programRoutines": [
{
"name": "gun_http:handle_inform/8"
}
],
"repo": "https://github.com/ninenines/gun.git",
"vendor": "ninenines",
"versions": [
{
"lessThan": "5b48068c29ce5e112cb149b5857c7d4dc319a81b",
"status": "affected",
"version": "a3c2edbb8c807717e2f10520c6cf1e77a62eab2e",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unexpected Status Code or Return Value vulnerability in ninenines gun (\u003ctt\u003egun_http\u003c/tt\u003e module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.\u003cp\u003eIn \u003ctt\u003egun_http:handle_inform/8\u003c/tt\u003e, when a \u003ctt\u003e101 Switching Protocols\u003c/tt\u003e response is received over HTTP/1.1, the function verifies only that the \u003ctt\u003eUpgrade\u003c/tt\u003e header is syntactically valid and that the stream reference is a plain \u003ctt\u003ereference()\u003c/tt\u003e. It does not check whether the client ever sent an \u003ctt\u003eUpgrade\u003c/tt\u003e or \u003ctt\u003eConnection: upgrade\u003c/tt\u003e header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a \u003ctt\u003egun_upgrade\u003c/tt\u003e message to the caller and transition the entire connection to raw protocol mode.\u003c/p\u003e\u003cp\u003eA malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, \u003ctt\u003egun_raw\u003c/tt\u003e applies no flow control (\u003ctt\u003eflow=infinity\u003c/tt\u003e) and re-arms socket \u003ctt\u003eactive\u003c/tt\u003e mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded \u003ctt\u003egun_data\u003c/tt\u003e messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.\u003c/p\u003e\u003cp\u003eThis issue affects gun: from 2.0.0 before 2.4.0.\u003c/p\u003e"
}
],
"value": "Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.\n\nIn gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode.\n\nA malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.\n\nThis issue affects gun: from 2.0.0 before 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-220",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-220 Client-Server Protocol Manipulation"
}
]
},
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841 Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:34:38.989Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43974.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43974"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/gun/commit/5b48068c29ce5e112cb149b5857c7d4dc319a81b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43974",
"datePublished": "2026-06-08T14:12:36.957Z",
"dateReserved": "2026-05-04T18:23:25.574Z",
"dateUpdated": "2026-06-08T16:34:38.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}