CVE Catalog

CVE-2026-43974

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

12th percentile - higher than 12% of all known CVEs

Summary

A vulnerability in the gun_http module of ninenines allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response. The lack of proper checks in the handle_inform/8 function enables this behavior.

Risk Assessment

A malicious server can flood the client with unbounded data, leading to memory exhaustion and ultimately crashing the virtual machine. This poses a significant risk to the stability of applications using this module.

Recommendation

It is recommended to update the gun module to version 2.4.0 or later to mitigate this vulnerability. Additionally, implementing extra checks to validate server responses is advisable.

Original NVD description (English source)

Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response. In gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode. A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM. This issue affects gun: from 2.0.0 before 2.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS