CVE-2026-43972

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-43972
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43972.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43972
Aliases
Published
2026-06-08T14:12:38.780Z
Modified
2026-06-18T03:55:04.270771376Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection
Details

Origin Validation Error vulnerability in ninenines gun (gunhttp2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSHPROMISE authority.

In gunhttp2:pushpromiseframe/7, the :authority pseudo-header from an incoming PUSHPROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gunhttp2:headersframe/9 later processes the response headers for the promised stream, it calls guncookies:setcookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.

A malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.

This issue affects gun: from 2.0.0 before 2.4.0.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43972.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "871989eef53663285c165fdfb83a5918ebe00d41"
                },
                {
                    "fixed": "567863ff53802fed21c3b3f25812db7f7ae29676"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-346"
    ],
    "cna_assigner": "EEF"
}
References

Affected packages

Git / github.com/ninenines/gun

Affected ranges

Type
GIT
Repo
https://github.com/ninenines/gun
Events
Introduced
33223e751267c5f249f3db1277c13904a1801b92
Fixed
8cc70ed78fc946e5d9c49e92d84bde64ca12db1f
Fixed
567863ff53802fed21c3b3f25812db7f7ae29676
Database specific 
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.4.0"
        }
    ]
}

Affected versions

2.*
2.0.0
2.0.1
2.1.0
2.2.0
2.3.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43972.json"