Skip to main content

ninenines gun CVE-2026-43972

| EUVDEUVD-2026-35073 MEDIUM
Origin Validation Error (CWE-346)
2026-06-08 EEF GHSA-36w4-95hv-5vwg
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 16:54 vuln.today
Analysis Generated
Jun 08, 2026 - 16:54 vuln.today
CVSS changed
Jun 08, 2026 - 15:37 NVD
6.3 (MEDIUM)
CVE Published
Jun 08, 2026 - 14:12 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority.

In gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.

A malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.

This issue affects gun: from 2.0.0 before 2.4.0.

AnalysisAI

Cross-origin cookie injection in ninenines gun (versions 2.0.0 through 2.3.x) allows a malicious or compromised HTTP/2 server to plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. The gun_http2 module fails to validate the :authority pseudo-header in incoming PUSH_PROMISE frames before passing the server-supplied value to the cookie-setting path, violating RFC 7540 §10.6 and RFC 9113 §8.4. This enables session fixation attacks against third-party domains and may lead to account takeover if planted cookies override legitimate session tokens; no public exploit identified at time of analysis. Note: the 'RCE' tag present in source intelligence is not supported by any available data and appears to be erroneous metadata.

Technical ContextAI

gun is an Erlang HTTP/1.1, HTTP/2, and WebSocket client library maintained by ninenines. The affected module, gun_http2.erl, implements the HTTP/2 framing layer. HTTP/2 PUSH_PROMISE frames allow servers to proactively push resources to clients, but RFC 7540 §10.6 and RFC 9113 §8.4 mandate that clients MUST treat as a protocol error any push for a resource the server is not authoritative for. The root cause is CWE-346 (Origin Validation Error): in push_promise_frame/7, the :authority pseudo-header extracted from the PUSH_PROMISE frame was stored verbatim into the promised stream record without verifying it matches the established connection's scheme and authority. This unvalidated value was then passed downstream to gun_cookies:set_cookie_header/7, which set cookies scoped to the attacker-supplied authority rather than the actual connection origin. The fix (commit 567863ff) adds an explicit comparison of PromisedScheme and PromisedAuthority against the current stream's own Scheme and Authority; a mismatch triggers RST_STREAM with PROTOCOL_ERROR, and the new test push_promise_invalid_authority confirms this path. Affected CPE: cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:* for versions 2.0.0 through 2.3.x.

RemediationAI

The primary fix is upgrading to gun 2.4.0 or later, which incorporates commit 567863ff53802fed21c3b3f25812db7f7ae29676, adding authority validation that rejects mismatched PUSH_PROMISE frames with RST_STREAM PROTOCOL_ERROR. The vendor advisory is at https://cna.erlef.org/cves/CVE-2026-43972.html. If an immediate upgrade is not feasible, the most effective compensating control is to force gun to use HTTP/1.1 by setting protocols => [http] in the gun:open/3 options map, which completely bypasses the vulnerable PUSH_PROMISE code path; the trade-off is the loss of HTTP/2 multiplexing and push performance. Alternatively, server push can be disabled at the HTTP/2 SETTINGS level by sending SETTINGS_ENABLE_PUSH=0 at connection open, though this depends on gun exposing that configuration in the version in use. Applications that were running affected versions against untrusted servers should audit their cookie stores for unexpected third-party domain entries as a post-incident measure.

Share

CVE-2026-43972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy