Ewe
CVE-2026-32873
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape - the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.
AnalysisAI
The ewe Gleam web server contains an infinite loop vulnerability in the handle_trailers function that permanently wedges the BEAM process at 100% CPU when processing rejected trailer headers in chunked HTTP requests. Versions 0.8.0 through 3.0.4 are affected, and any unauthenticated remote attacker can exploit this before application code executes, making mitigation at the application level impossible. The vulnerability is patched in version 3.0.5, and while no active exploitation (KEV) or EPSS score is reported, the low attack complexity and network accessibility make this a readily exploitable denial-of-service condition.
Technical ContextAI
The ewe project is a web server implementation written in Gleam that runs on the BEAM virtual machine (Erlang VM). The vulnerability stems from CWE-825 (Expired Pointer Dereference) manifesting as an infinite loop in HTTP/1.1 chunked transfer encoding trailer processing. When the handle_trailers function encounters forbidden or undeclared trailer headers, three code paths (lines 520, 523, 526) recursively call themselves with the original buffer instead of advancing the buffer pointer past the rejected header. This causes the decoder.decode_packet function to perpetually re-parse the same header data, creating an unbounded recursion with no timeout mechanism. The BEAM process becomes permanently stuck consuming 100% CPU, as the function never advances the buffer position (Buffer(header_rest, 0)) and instead continuously processes the same bytes (rest).
RemediationAI
Upgrade the ewe web server to version 3.0.5 or later, which contains the fix for the infinite loop vulnerability as documented in commits 8513de9dcdd0005f727c0f6f15dd89f8d626f560 and d8b9b8a86470c0cb5696647997c2f34763506e37 available at https://github.com/vshakitskiy/ewe. Review the security advisory at https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp for additional guidance. Because the vulnerability is triggered before application code executes and no application-level workaround is possible, immediate patching is the only effective mitigation. As an interim measure, organizations can deploy rate limiting, connection timeouts, and Web Application Firewall (WAF) rules at the network perimeter to detect and block malformed chunked requests with invalid trailer headers, though these controls may not provide complete protection against determined attackers.
Same weakness CWE-825 – Expired Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4w98-xf39-23gp