Description
Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority.

In gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.

A malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.

This issue affects gun: from 2.0.0 before 2.4.0.
Published: 2026-06-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a server‑side origin validation failure in the gun HTTP/2 module. The :authority pseudo‑header from an incoming PUSH_PROMISE frame is stored without verifying it matches the connection's origin. This flaw allows a malicious or compromised HTTP/2 server to plant cookies that are scoped to third‑party domains into the client’s shared cookie store. An attacker can therefore perform session fixation or, if the injected cookie overrides a legitimate session token, achieve account takeover. No user interaction beyond a normal HTTP/2 request to the attacker‑controlled server is required.

Affected Systems

The affected product is the Erlang library gun, specifically the gun_http2 module. All versions from 2.0.0 up to, but not including, 2.4.0 are vulnerable. No other vendors or product lines are affected according to the CNA data.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS information is not available, so the likelihood of exploitation is undetermined, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is any HTTP/2 request originating from an attacker‑controlled server to a client utilizing gun. An attacker does not need privileged access; simply serving a malicious PUSH_PROMISE frame with a forged :authority header suffices. Because the issue violates RFC 7540 §10.6, it is a protocol error and can be detected by compliant HTTP/2 peers.

Generated by OpenCVE AI on June 8, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gun to version 2.4.0 or newer, which validates the :authority header in PUSH_PROMISE frames.
  • If upgrade is not possible, place the application behind a reverse proxy or firewall that either blocks or sanitizes HTTP/2 PUSH_PROMISE frames, effectively preventing the injection of unvalidated cookies.
  • Monitor HTTP/2 traffic for abnormal PUSH_PROMISE frames and log or alert on repeated occurrences of invalid :authority values.

Generated by OpenCVE AI on June 8, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority. In gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for. A malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required. This issue affects gun: from 2.0.0 before 2.4.0.
Title gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection
First Time appeared Ninenines
Ninenines gun
Weaknesses CWE-346
CPEs cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*
Vendors & Products Ninenines
Ninenines gun
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ninenines Gun
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-08T16:34:45.350Z

Reserved: 2026-05-04T18:23:25.574Z

Link: CVE-2026-43972

cve-icon Vulnrichment

Updated: 2026-06-08T15:43:02.790Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T15:16:46.290

Modified: 2026-06-09T15:20:13.097

Link: CVE-2026-43972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:57:08Z

Weaknesses