Skip to main content

Ewe CVE-2026-32881

MEDIUM
Permissive List of Allowed Inputs (CWE-183)
2026-03-20 security-advisories@github.com
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 02:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5.

AnalysisAI

ewe, a Gleam web server, contains an authentication bypass vulnerability in versions 0.6.0 through 3.0.4 that exploits improper handling of chunked transfer encoding trailer headers. An unauthenticated remote attacker can declare sensitive HTTP headers in the Trailer field and append them after the final chunk to overwrite legitimate values set by reverse proxies, enabling them to forge authentication credentials, hijack sessions, bypass rate limiting, or spoof proxy-trust headers. The vulnerability has been patched in version 3.0.5, and while not currently listed in CISA's KEV catalog, the CVSS score of 5.3 reflects medium severity with integrity impact.

Technical ContextAI

This vulnerability exploits improper implementation of HTTP/1.1 chunked transfer encoding as defined in RFC 7230, specifically the trailer headers mechanism. The ewe web server merges trailer fields declared in the Trailer header into the request.headers dictionary after body parsing, but maintains only a denylist of 9 blocked header names rather than a secure allowlist approach. The root cause is classified under CWE-183 (Permissive Allowlist Entry), where the incomplete filtering mechanism allows attackers to inject headers that bypass authentication and proxy-trust validation. The vulnerability affects Gleam applications using ewe as their HTTP server layer, where downstream middleware trusts header values read after the ewe.read_body() call without re-validating their origin or authenticity.

RemediationAI

Upgrade ewe to version 3.0.5 or later immediately. For Gleam projects using ewe, update your dependency declaration and rebuild. The fixes committed at 07dcfd2135fc95f38c17a9d030de3d7efee1ee39 and 94ab6e7bf7293e987ae98b4daa51ea131c2671ba address the trailer header handling by implementing a more restrictive validation strategy. Until patching is possible, implement defense-in-depth measures: configure reverse proxies to validate and reject requests with suspicious trailer headers, use an allowlist of expected headers rather than relying on ewe's denylist, and avoid trusting authentication headers that can be set via HTTP request bodies or trailers. Monitor logs for requests with Trailer headers containing auth-related fields (Authorization, X-Forwarded-User, etc.). Refer to the official advisory at https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp for detailed guidance.

Share

CVE-2026-32881 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy