Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.
cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.
This issue affects cowlib from 0.1.0 before 2.16.1.
AnalysisAI
Unauthenticated remote denial of service in ninenines cowlib (versions 0.1.0 through 2.16.0) allows a single crafted SPDY frame to exhaust BEAM VM memory via a zlib decompression bomb. The cow_spdy:inflate/2 path passes peer-controlled compressed bytes to zlib:inflate/2 without bounding output size, and because the SPDY ?ZDICT dictionary is public and zlib achieves roughly 1024:1 compression on repeated bytes, kilobytes of input expand to gigabytes of heap, OOM-killing the Erlang node. No public exploit identified at time of analysis, EPSS is low (0.14%), and CISA SSVC marks exploitation as none, but the upstream fix is to remove cow_spdy entirely in 2.16.1.
Technical ContextAI
cowlib is the low-level HTTP/SPDY/WebSocket parsing library underlying the Cowboy Erlang web server, widely used in Erlang/OTP and Elixir/Phoenix deployments. The defect is classified as CWE-409 (Improper Handling of Highly Compressed Data, a 'zip bomb' class amplification flaw): cow_spdy:inflate/2 forwards attacker-supplied compressed payloads into Erlang's zlib NIF (zlib:inflate/2) without bounding the decompressed length, while the SPDY/3 header compression context is preseeded with the well-known public ?ZDICT dictionary, allowing the attacker to construct a payload optimised for maximum expansion. All three SPDY header-bearing frame types - syn_stream, syn_reply, and headers - flow through the shared parse_headers/2 helper, so any of them can deliver the amplification. The affected CPE is cpe:2.3:a:ninenines:cowlib for all versions 0.1.0 up to but not including 2.16.1, and the upstream patch (commit 16aad3fb9f81f5cda4d1706ff0c54237c619c282) deletes the cow_spdy.erl module and removes it from the .app manifest rather than adding a decompressed-size limit.
RemediationAI
Vendor-released patch: cowlib 2.16.1, which removes the cow_spdy module entirely; upgrade the cowlib dependency in rebar.config, mix.exs, or your release lock file to 2.16.1 or later and rebuild all downstream releases (Cowboy, Phoenix, RabbitMQ, etc.) so the vulnerable module is no longer shipped in the BEAM load path. The upstream fix commit is https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282 and the coordinating advisory is at https://cna.erlef.org/cves/CVE-2026-43970.html. If you cannot upgrade immediately, the effective compensating control is to ensure no SPDY listener is configured - SPDY is not enabled by default in Cowboy, so audit ranch/cowboy listener specs and reverse-proxy ALPN/NPN configuration to confirm only http/1.1 and h2 are negotiated, and remove any custom code that calls cow_spdy:parse/2 directly; as a network-layer fallback, terminate TLS at a front proxy that does not advertise the spdy/3 ALPN token, which prevents clients from ever reaching the vulnerable parser at the cost of dropping any (now extremely rare) legitimate SPDY clients.
Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. T
HTTP response splitting in ninenines cowlib allows network-accessible attackers to inject arbitrary HTTP headers when ap
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splittin
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request split
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30131
GHSA-84f2-rp86-235p