Skip to main content

Ewe

2 CVEs product

Monthly

CVE-2026-32881 MEDIUM This Month

ewe, a Gleam web server, contains an authentication bypass vulnerability in versions 0.6.0 through 3.0.4 that exploits improper handling of chunked transfer encoding trailer headers. An unauthenticated remote attacker can declare sensitive HTTP headers in the Trailer field and append them after the final chunk to overwrite legitimate values set by reverse proxies, enabling them to forge authentication credentials, hijack sessions, bypass rate limiting, or spoof proxy-trust headers. The vulnerability has been patched in version 3.0.5, and while not currently listed in CISA's KEV catalog, the CVSS score of 5.3 reflects medium severity with integrity impact.

Authentication Bypass Ewe
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-32873 HIGH GHSA This Week

The ewe Gleam web server contains an infinite loop vulnerability in the handle_trailers function that permanently wedges the BEAM process at 100% CPU when processing rejected trailer headers in chunked HTTP requests. Versions 0.8.0 through 3.0.4 are affected, and any unauthenticated remote attacker can exploit this before application code executes, making mitigation at the application level impossible. The vulnerability is patched in version 3.0.5, and while no active exploitation (KEV) or EPSS score is reported, the low attack complexity and network accessibility make this a readily exploitable denial-of-service condition.

Denial Of Service Ewe
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM This Month

ewe, a Gleam web server, contains an authentication bypass vulnerability in versions 0.6.0 through 3.0.4 that exploits improper handling of chunked transfer encoding trailer headers. An unauthenticated remote attacker can declare sensitive HTTP headers in the Trailer field and append them after the final chunk to overwrite legitimate values set by reverse proxies, enabling them to forge authentication credentials, hijack sessions, bypass rate limiting, or spoof proxy-trust headers. The vulnerability has been patched in version 3.0.5, and while not currently listed in CISA's KEV catalog, the CVSS score of 5.3 reflects medium severity with integrity impact.

Authentication Bypass Ewe
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

The ewe Gleam web server contains an infinite loop vulnerability in the handle_trailers function that permanently wedges the BEAM process at 100% CPU when processing rejected trailer headers in chunked HTTP requests. Versions 0.8.0 through 3.0.4 are affected, and any unauthenticated remote attacker can exploit this before application code executes, making mitigation at the application level impossible. The vulnerability is patched in version 3.0.5, and while no active exploitation (KEV) or EPSS score is reported, the low attack complexity and network accessibility make this a readily exploitable denial-of-service condition.

Denial Of Service Ewe
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy