EEF-CVE-2026-43973

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-43973.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-43973.json

JSON Data

https://api.test.osv.dev/v1/vulns/EEF-CVE-2026-43973

Aliases

CVE-2026-43973

Published

2026-06-08T14:12:42.128Z

Modified

2026-06-08T16:35:01.405Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion

Details

Summary

Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering.

In gunhttp:handle/5, three clauses accumulate incoming TCP data into the connection's buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \r\n\r\n header terminator is found; the bodychunked clause appends data whenever cowhttpte:streamchunked/2 returns a more result indicating an incomplete chunk boundary; and the bodytrailer clause appends data until the trailing \r\n\r\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size.

A malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\r\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash.

This issue affects gun: from 1.0.0 before 2.4.0.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-770"
    ],
    "capec_ids": [
        "CAPEC-130"
    ]
}

References

Credits

- Peter Ullrich - FINDER
- Loïc Hoguin - REMEDIATION_DEVELOPER

Affected packages

Hex / gun

Package

Name: gun
Purl: pkg:hex/gun

Affected ranges

Type: SEMVER
Events: Introduced

1.0.0

Fixed

2.4.0

Affected versions

1.*

1.0.0

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

2.*

2.0.0-rc.1

2.0.0-rc.2

2.0.0

2.0.1

2.1.0

2.2.0

2.3.0

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-43973.json"

Git / github.com/ninenines/gun.git

Affected ranges

Type: GIT
Repo: https://github.com/ninenines/gun.git
Events: Introduced

11dfe71f4b9aedaaedea2ad3b2f32fd006a8480f

Fixed

f3e7e0568b3c4cf9fa4bea79d5116e67ce76ad25

Affected versions

1.*

1.0.0

1.0.0-pre.1

1.0.0-pre.2

1.0.0-pre.3

1.0.0-pre.4

1.0.0-pre.5

1.0.0-rc.1