Skip to main content

cowlib CVE-2026-43970

| EUVDEUVD-2026-30131 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-05-13 EEF GHSA-84f2-rp86-235p
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 09:15 vuln.today
Analysis Generated
Jun 08, 2026 - 09:15 vuln.today
CVSS changed
May 13, 2026 - 19:22 NVD
8.2 (HIGH)

DescriptionCVE.org

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.

cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.

This issue affects cowlib from 0.1.0 before 2.16.1.

AnalysisAI

Unauthenticated remote denial of service in ninenines cowlib (versions 0.1.0 through 2.16.0) allows a single crafted SPDY frame to exhaust BEAM VM memory via a zlib decompression bomb. The cow_spdy:inflate/2 path passes peer-controlled compressed bytes to zlib:inflate/2 without bounding output size, and because the SPDY ?ZDICT dictionary is public and zlib achieves roughly 1024:1 compression on repeated bytes, kilobytes of input expand to gigabytes of heap, OOM-killing the Erlang node. No public exploit identified at time of analysis, EPSS is low (0.14%), and CISA SSVC marks exploitation as none, but the upstream fix is to remove cow_spdy entirely in 2.16.1.

Technical ContextAI

cowlib is the low-level HTTP/SPDY/WebSocket parsing library underlying the Cowboy Erlang web server, widely used in Erlang/OTP and Elixir/Phoenix deployments. The defect is classified as CWE-409 (Improper Handling of Highly Compressed Data, a 'zip bomb' class amplification flaw): cow_spdy:inflate/2 forwards attacker-supplied compressed payloads into Erlang's zlib NIF (zlib:inflate/2) without bounding the decompressed length, while the SPDY/3 header compression context is preseeded with the well-known public ?ZDICT dictionary, allowing the attacker to construct a payload optimised for maximum expansion. All three SPDY header-bearing frame types - syn_stream, syn_reply, and headers - flow through the shared parse_headers/2 helper, so any of them can deliver the amplification. The affected CPE is cpe:2.3:a:ninenines:cowlib for all versions 0.1.0 up to but not including 2.16.1, and the upstream patch (commit 16aad3fb9f81f5cda4d1706ff0c54237c619c282) deletes the cow_spdy.erl module and removes it from the .app manifest rather than adding a decompressed-size limit.

RemediationAI

Vendor-released patch: cowlib 2.16.1, which removes the cow_spdy module entirely; upgrade the cowlib dependency in rebar.config, mix.exs, or your release lock file to 2.16.1 or later and rebuild all downstream releases (Cowboy, Phoenix, RabbitMQ, etc.) so the vulnerable module is no longer shipped in the BEAM load path. The upstream fix commit is https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282 and the coordinating advisory is at https://cna.erlef.org/cves/CVE-2026-43970.html. If you cannot upgrade immediately, the effective compensating control is to ensure no SPDY listener is configured - SPDY is not enabled by default in Cowboy, so audit ranch/cowboy listener specs and reverse-proxy ALPN/NPN configuration to confirm only http/1.1 and h2 are negotiated, and remove any custom code that calls cow_spdy:parse/2 directly; as a network-layer fallback, terminate TLS at a front proxy that does not advertise the spdy/3 ALPN token, which prevents clients from ever reaching the vulnerable parser at the cost of dropping any (now extremely rare) legitimate SPDY clients.

Share

CVE-2026-43970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy