DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-4W98-XF39-23GP: GHSA-4W98-XF39-23GP: Infinite Loop Denial of Service in ewe HTTP Trailer Parsing

#security #cve #cybersecurity #ghsa

GHSA-4W98-XF39-23GP: Infinite Loop Denial of Service in ewe HTTP Trailer Parsing

Vulnerability ID: GHSA-4W98-XF39-23GP
CVSS Score: 7.5
Published: 2026-03-16

The ewe web server, developed in Gleam for the Erlang BEAM ecosystem, contains a Denial of Service vulnerability stemming from an infinite loop in its HTTP trailer parsing logic. Versions prior to 3.0.3 fail to properly advance the network buffer when encountering invalid or forbidden chunked trailers. This flaw allows an unauthenticated remote attacker to trigger 100% CPU exhaustion by sending a maliciously crafted HTTP/1.1 request.

TL;DR

Infinite loop in ewe's HTTP trailer parser allows unauthenticated remote attackers to cause a complete Denial of Service (DoS) via crafted chunked requests.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-835
  • Attack Vector: Network
  • CVSS Score: 7.5
  • Impact: High (Denial of Service)
  • Exploit Status: Proof of Concept Available
  • Authentication Required: None

Affected Systems

  • ewe web server (< 3.0.3)
  • ewe: < 3.0.3 (Fixed in: 3.0.3)

Code Analysis

Commit: d8b9b8a

Primary fix: Advances buffer offset to header_rest in error paths within handle_trailers

Commit: 8513de9

Refactor: Introduces Buffer abstraction to manage parsing state

Mitigation Strategies

  • Upgrade the ewe package to version 3.0.3 or higher.
  • Implement WAF rules to drop HTTP/1.1 chunked requests containing restricted trailer headers.
  • Configure reverse proxies to strip HTTP trailers before forwarding requests to the ewe backend.
  • Downgrade incoming HTTP/1.1 traffic to HTTP/1.0 at the load balancer to eliminate chunked transfer encoding support entirely.

Remediation Steps:

  1. Identify all Gleam projects utilizing the ewe package.
  2. Update the ewe dependency version in gleam.toml to >= 3.0.3.
  3. Run the Gleam package manager command to fetch the updated dependency.
  4. Recompile the application and deploy the updated binaries to production environments.

References

Read the full report for GHSA-4W98-XF39-23GP on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)