Description
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape — the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

Key detail from CVE description: The handle_trailers function in ewe versions 0.8.0 through 3.0.4 loops indefinitely when parsing rejected trailer headers, causing the BEAM process to consume 100% CPU and remain unresponsive. This is a logical control flaw (CWE-825) that results in a denial of service. The vulnerability is exploitable by any unauthenticated remote client before application code runs, preventing normal request handling and making application-level mitigations ineffective.

Affected Systems

The affected product is the vshakitskiy:ewe Gleam web server. Versions 0.8.0 through 3.0.4 are vulnerable. Any deployment that calls ewe.read_body on chunked requests will exercise the buggy code path.

Risk and Exploitability

The CVSS score is 7.5, indicating high severity. No EPSS data is available, and the issue is not listed in CISA's KEV catalog. Exploitability requires an unauthenticated client to send a request containing forbidden or undeclared trailer headers in a chunked payload. Once triggered, the process enters a permanent loop with no timeout, leading to a lasting denial of service. Because the attack can occur before the application code is reached, a workaround at the application layer is not possible.

Generated by OpenCVE AI on March 20, 2026 at 03:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ewe to version 3.0.5 or newer

Generated by OpenCVE AI on March 20, 2026 at 03:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4w98-xf39-23gp Loop with Unreachable Exit Condition ('Infinite Loop') in ewe
History

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Vshakitskiy
Vshakitskiy ewe
Vendors & Products Vshakitskiy
Vshakitskiy ewe

Fri, 20 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape — the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.
Title ewe: Loop with Unreachable Exit Condition ('Infinite Loop')
Weaknesses CWE-825
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Vshakitskiy Ewe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:08:59.660Z

Reserved: 2026-03-16T21:03:44.419Z

Link: CVE-2026-32873

cve-icon Vulnrichment

Updated: 2026-03-20T16:56:32.878Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T02:16:35.540

Modified: 2026-03-20T19:16:17.430

Link: CVE-2026-32873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:43:32Z

Weaknesses