Skip to main content

Ninenines gun EUVDEUVD-2026-35072

| CVE-2026-43974 HIGH
Improper Enforcement of Behavioral Workflow (CWE-841)
2026-06-08 EEF GHSA-2j82-37xg-f9wp
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 16:52 vuln.today
Analysis Generated
Jun 08, 2026 - 16:52 vuln.today
CVSS changed
Jun 08, 2026 - 15:37 NVD
8.7 (HIGH)
CVE Published
Jun 08, 2026 - 14:12 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.

In gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode.

A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.

This issue affects gun: from 2.0.0 before 2.4.0.

AnalysisAI

Denial-of-service in the Erlang HTTP client library Ninenines gun (versions 2.0.0 through 2.3.x) lets a malicious or compromised HTTP/1.1 server force any gun client into raw protocol mode by returning an unsolicited 101 Switching Protocols response, after which the server can flood the client owner process with unbounded gun_data messages and exhaust BEAM VM memory. No public exploit identified at time of analysis, but the fix is trivial and the issue is reachable from any plain HTTP/1.1 request to an attacker-controlled host. CVSS 4.0 8.7 reflects the unauthenticated, network-reachable, high-availability-only impact.

Technical ContextAI

Gun is a widely used Erlang/OTP HTTP/1.1, HTTP/2 and WebSocket client maintained by Loïc Hoguin (ninenines), commonly embedded in BEAM-based services to make outbound HTTP calls. The bug is a CWE-841 (Improper Enforcement of Behavioral Workflow) flaw in gun_http:handle_inform/8: per RFC 7230 a 101 Switching Protocols response is only valid in reply to a request that itself sent Upgrade and Connection: upgrade headers, but the pre-patch code validated only that the server's Upgrade header parsed correctly and that the stream reference was a plain reference(). Any 101 therefore dispatched a {gun_upgrade,...} message to the owner and switched the connection to gun_raw, which runs with flow=infinity and re-arms socket active mode after every packet, removing all backpressure between the socket and the owner mailbox. The vendor commit 5b48068 introduces an upgrade field on the #stream{} record populated from the outbound request's Connection/Upgrade headers and a new is_expected_upgrade_response/2 check that rejects any 101 the client did not solicit, replying with {gun_error, protocol_error} and closing the connection.

RemediationAI

Vendor-released patch: upgrade gun to 2.4.0 or later, which incorporates upstream commit 5b48068c29ce5e112cb149b5857c7d4dc319a81b that adds the is_expected_upgrade_response/2 check; rebuild and redeploy any release that vendored or statically linked an older gun. Where an immediate upgrade is not feasible, restrict gun-based outbound HTTP/1.1 traffic to a known allowlist of trusted hosts (eliminating the malicious-server precondition), or force connections to HTTP/2 by passing protocols => [http2] in gun:open/3 options where the remote endpoint supports it, since the bug is in the HTTP/1.1 state machine only; both workarounds reduce attack surface but break legitimate WebSocket/h2c upgrades and any HTTP/1.1-only integrations. As a containment measure, run gun client owner processes under a supervisor with memory limits or a max_heap_size so a flood crashes only the owner rather than the BEAM VM, accepting that legitimate large streamed responses may also be terminated. Track the vendor advisory at https://cna.erlef.org/cves/CVE-2026-43974.html and the fix commit at https://github.com/ninenines/gun/commit/5b48068c29ce5e112cb149b5857c7d4dc319a81b.

Share

EUVD-2026-35072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy