Description
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape — the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

The eave server processes HTTP chunked requests with a function that parses trailer headers. In versions 0.8.0 through 3.0.4, if an attacker includes a forbidden or undeclared trailer header, the parsing logic recurses with the same buffer rather than advancing, creating an infinite loop. The core VM running the server, BEAM, then consumes 100 % of CPU indefinitely, causing the process to become permanently unresponsive. This flaw, classified as CWE‑825 and CWE‑835, results in a denial of service. Because the loop is triggered before application code runs, any unauthenticated remote client can provoke the effect; no application‑level mitigation can prevent it.

Affected Systems

The affected product is the Gleam web server named ewe, produced by vshakitskiy. Vulnerable releases include all versions from 0.8.0 up to and including 3.0.4. Any deployment that uses ewe.read_body to handle chunked requests and exposes a public HTTP endpoint is affected. The bug resides in the handle_trailers function, so any server configured to support chunked transfer encoding is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity, and an EPSS score of less than 1 %, suggesting low but non‑zero exploitation probability. It is not listed in the CISA KEV catalog. An attacker can trigger the denial of service by sending an unauthenticated HTTP request containing a forbidden or undeclared trailer header in a chunked payload. The BEAM process will then enter a permanent, non‑timeout loop, maintaining 100 % CPU usage until the process is manually restarted or terminated. Because the attack occurs before the application code is executed, it cannot be mitigated by application‑level controls.

Generated by OpenCVE AI on April 17, 2026 at 11:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ewe to version 3.0.5 or newer
  • Configure any reverse proxy or load balancer to strip or reject HTTP requests that contain trailer headers or disable chunked transfer encoding for the affected endpoints
  • Monitor the BEAM process’s CPU usage and set up an automatic restart or graceful kill if usage stays above a threshold (e.g., 90 %) to ensure the service can recover while at risk.

Generated by OpenCVE AI on April 17, 2026 at 11:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4w98-xf39-23gp Loop with Unreachable Exit Condition ('Infinite Loop') in ewe
History

Thu, 16 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
CPEs cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Vshakitskiy
Vshakitskiy ewe
Vendors & Products Vshakitskiy
Vshakitskiy ewe

Fri, 20 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape — the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.
Title ewe: Loop with Unreachable Exit Condition ('Infinite Loop')
Weaknesses CWE-825
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Vshakitskiy Ewe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:08:59.660Z

Reserved: 2026-03-16T21:03:44.419Z

Link: CVE-2026-32873

cve-icon Vulnrichment

Updated: 2026-03-20T16:56:32.878Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:35.540

Modified: 2026-04-16T13:27:24.807

Link: CVE-2026-32873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:30:17Z

Weaknesses