DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-9W88-79F8-M3VP: GHSA-9W88-79F8-M3VP: Insecure Trailer Handling Allows HTTP Header Injection in ewe

#security #cve #cybersecurity #ghsa

GHSA-9W88-79F8-M3VP: Insecure Trailer Handling Allows HTTP Header Injection in ewe

Vulnerability ID: GHSA-9W88-79F8-M3VP
CVSS Score: 6.5
Published: 2026-03-16

The ewe web server library for Gleam/Erlang contains a moderate-severity vulnerability in its HTTP/1.1 chunked transfer encoding parser. Prior to version 3.0.5, the library utilized an incomplete denylist for processing HTTP trailer headers, enabling attackers to inject or overwrite critical request headers such as Authorization, Cookie, or X-Forwarded-For. This flaw allows for potential authentication bypass, session hijacking, or identity spoofing depending on the specific application logic deployed atop the library.

TL;DR

The ewe library incorrectly permitted trailing HTTP headers to overwrite primary request headers due to a permissive denylist. Attackers could exploit this to forge sensitive headers like Authorization or Cookie, bypassing security controls. The issue is resolved in version 3.0.5 by implementing a strict allowlist.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-184
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.5
  • Impact: Header Injection / Authentication Bypass
  • Exploit Status: poc
  • CISA KEV: False

Affected Systems

  • ewe web server library
  • Gleam ecosystem
  • Erlang ecosystem
  • ewe: < 3.0.5 (Fixed in: 3.0.5)

Code Analysis

Commit: 07dcfd2

Initial introduction of vulnerable trailer logic with permissive denylist.

Commit: 94ab6e7

Fix trailer handling by implementing a strict allowlist for headers.

Mitigation Strategies

  • Upgrade the ewe library to version 3.0.5 or later.
  • Implement WAF rules to drop or sanitize requests containing the 'Trailer' header.
  • Configure reverse proxies to normalize incoming HTTP requests and strip chunked trailers before forwarding traffic to the backend.

Remediation Steps:

  1. Update the project dependencies in gleam.toml to require ewe version >= 3.0.5.
  2. Run the gleam package manager update command to fetch the new version.
  3. Recompile the application to ensure the updated library code is statically linked.
  4. Deploy the updated binaries to production environments.
  5. Monitor application logs for sudden drops in malformed header processing.

References

Read the full report for GHSA-9W88-79F8-M3VP on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)