Description
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in the handling of HTTP chunked transfer-encoding trailers by the Gleam web server “ewe”. When a request contains a Trailer header that declares additional header fields, the server merges these into the request header table after parsing the body. The whitelist used to block dangerous headers only excludes nine names, leaving the rest open to abuse. A malicious client can therefore send deliberately chosen trailer fields such as X-Forwarded-For, X-Authenticated-User, or other authentication-related headers. Upon receipt, ewe overwrites normal header values set by upstream reverse proxies. The result is that an attacker can forge authentication credentials, hijack user sessions, bypass IP‑based rate limiting, or insert proxy‑trust headers that downstream middleware will honor. This is effectively an authentication bypass that can lead to privilege escalation and data compromise.

Affected Systems

The affected product is the Gleam web server named “ewe” developed by vshakitskiy. Versions from 0.6.0 up to and including 3.0.4 are vulnerable. The vulnerability was addressed in release 3.0.5, which removes the permissive handling of trailer headers.

Risk and Exploitability

The impact rating is moderate with a CVSS score of 5.3, while the EPSS score indicates a very low probability of exploitation (<1 %). The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, reducing current threat visibility. Attackers can exploit the weakness remotely by forging an HTTP request that includes chunked transfer‑encoding trailers. No privilege or authentication is required, so a remote attacker from the internet could potentially prepare a crafted client and send a malicious request. The overall risk is therefore moderate but the likelihood of active exploitation is low.

Generated by OpenCVE AI on March 23, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch by upgrading ewe to version 3.0.5 or newer.

Generated by OpenCVE AI on March 23, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9w88-79f8-m3vp Permissive List of Allowed Inputs in ewe
History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Vshakitskiy
Vshakitskiy ewe
Vendors & Products Vshakitskiy
Vshakitskiy ewe

Fri, 20 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5.
Title ewe has an Overly Permissive List of Allowed Inputs
Weaknesses CWE-183
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Vshakitskiy Ewe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:03:41.064Z

Reserved: 2026-03-16T21:03:44.420Z

Link: CVE-2026-32881

cve-icon Vulnrichment

Updated: 2026-03-20T20:03:37.662Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:36.237

Modified: 2026-03-23T17:03:15.093

Link: CVE-2026-32881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:09Z

Weaknesses