Skip to main content

Gun

3 CVEs product

Monthly

CVE-2026-43973 HIGH PATCH This Week

Memory exhaustion denial of service in Ninenines Gun (Erlang HTTP client) versions 1.0.0 through 2.3.x allows a malicious or compromised HTTP/1.1 server to crash the entire BEAM node by sending an unterminated response. The gun_http module accumulates incoming bytes into a per-connection buffer without any size ceiling, and since BEAM imposes no default per-process heap limit, a single connection can consume all node memory. No public exploit identified at time of analysis, though the upstream patch and accompanying test cases publicly demonstrate the triggering server behavior.

Denial Of Service Gun
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-43972 MEDIUM PATCH This Month

Cross-origin cookie injection in ninenines gun (versions 2.0.0 through 2.3.x) allows a malicious or compromised HTTP/2 server to plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. The gun_http2 module fails to validate the :authority pseudo-header in incoming PUSH_PROMISE frames before passing the server-supplied value to the cookie-setting path, violating RFC 7540 §10.6 and RFC 9113 §8.4. This enables session fixation attacks against third-party domains and may lead to account takeover if planted cookies override legitimate session tokens; no public exploit identified at time of analysis. Note: the 'RCE' tag present in source intelligence is not supported by any available data and appears to be erroneous metadata.

RCE Gun
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-43974 HIGH PATCH This Week

Denial-of-service in the Erlang HTTP client library Ninenines gun (versions 2.0.0 through 2.3.x) lets a malicious or compromised HTTP/1.1 server force any gun client into raw protocol mode by returning an unsolicited 101 Switching Protocols response, after which the server can flood the client owner process with unbounded gun_data messages and exhaust BEAM VM memory. No public exploit identified at time of analysis, but the fix is trivial and the issue is reachable from any plain HTTP/1.1 request to an attacker-controlled host. CVSS 4.0 8.7 reflects the unauthenticated, network-reachable, high-availability-only impact.

Denial Of Service Gun
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Memory exhaustion denial of service in Ninenines Gun (Erlang HTTP client) versions 1.0.0 through 2.3.x allows a malicious or compromised HTTP/1.1 server to crash the entire BEAM node by sending an unterminated response. The gun_http module accumulates incoming bytes into a per-connection buffer without any size ceiling, and since BEAM imposes no default per-process heap limit, a single connection can consume all node memory. No public exploit identified at time of analysis, though the upstream patch and accompanying test cases publicly demonstrate the triggering server behavior.

Denial Of Service Gun
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-origin cookie injection in ninenines gun (versions 2.0.0 through 2.3.x) allows a malicious or compromised HTTP/2 server to plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. The gun_http2 module fails to validate the :authority pseudo-header in incoming PUSH_PROMISE frames before passing the server-supplied value to the cookie-setting path, violating RFC 7540 §10.6 and RFC 9113 §8.4. This enables session fixation attacks against third-party domains and may lead to account takeover if planted cookies override legitimate session tokens; no public exploit identified at time of analysis. Note: the 'RCE' tag present in source intelligence is not supported by any available data and appears to be erroneous metadata.

RCE Gun
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial-of-service in the Erlang HTTP client library Ninenines gun (versions 2.0.0 through 2.3.x) lets a malicious or compromised HTTP/1.1 server force any gun client into raw protocol mode by returning an unsolicited 101 Switching Protocols response, after which the server can flood the client owner process with unbounded gun_data messages and exhaust BEAM VM memory. No public exploit identified at time of analysis, but the fix is trivial and the issue is reachable from any plain HTTP/1.1 request to an attacker-controlled host. CVSS 4.0 8.7 reflects the unauthenticated, network-reachable, high-availability-only impact.

Denial Of Service Gun
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy