Description
Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering.

In gun_http:handle/5, three clauses accumulate incoming TCP data into the connection's buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \r\n\r\n header terminator is found; the body_chunked clause appends data whenever cow_http_te:stream_chunked/2 returns a more result indicating an incomplete chunk boundary; and the body_trailer clause appends data until the trailing \r\n\r\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size.

A malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\r\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash.

This issue affects gun: from 1.0.0 before 2.4.0.
Published: 2026-06-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The gun HTTP/1.1 client library contains an uncontrolled buffer growth flaw in the gun_http module. Incoming response data is concatenated to an internal binary buffer without any size limit. An attacker can send a partial response that never terminates, causing the buffer to grow indefinitely. This results in unbounded heap consumption on the client process, eventually exhausting the Erlang node’s memory and triggering an out‑of‑memory crash or significant slowdown. The weakness is a case of uncontrolled resource consumption (CWE-770).

Affected Systems

The vulnerability affects the gun library from the ninenines project. Versions from 1.0.0 through any release prior to 2.4.0 are impacted. Applications that use these older versions as HTTP/1.1 clients to external servers are susceptible.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog. An attacker can exploit this by acting as a remote server that sends a deliberately malformed, never‑terminating HTTP/1.1 response to any gun client. Because the server controls the input stream and no size limit is enforced, the attack does not require privileged local access. The result is a memory exhaustion denial of service that can bring down or destabilize the entire Erlang node hosting the gun process.

Generated by OpenCVE AI on June 8, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gun to version 2.4.0 or later, which limits response buffer size and fixes the heap growth issue.
  • Configure the application or infrastructure to enforce reasonable HTTP response size limits or timeouts on gun connections, reducing the window for an attacker to send large incomplete streams.
  • Monitor Erlang node memory usage for unusual growth patterns and set alerts if processes approach capacity, providing early warning of potential legacy client exploitation.

Generated by OpenCVE AI on June 8, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering. In gun_http:handle/5, three clauses accumulate incoming TCP data into the connection's buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \r\n\r\n header terminator is found; the body_chunked clause appends data whenever cow_http_te:stream_chunked/2 returns a more result indicating an incomplete chunk boundary; and the body_trailer clause appends data until the trailing \r\n\r\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size. A malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\r\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash. This issue affects gun: from 1.0.0 before 2.4.0.
Title gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion
First Time appeared Ninenines
Ninenines gun
Weaknesses CWE-770
CPEs cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*
Vendors & Products Ninenines
Ninenines gun
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ninenines Gun
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-08T16:35:01.405Z

Reserved: 2026-05-04T18:23:25.574Z

Link: CVE-2026-43973

cve-icon Vulnrichment

Updated: 2026-06-08T15:48:08.555Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T15:16:46.700

Modified: 2026-06-09T15:20:13.097

Link: CVE-2026-43973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:57:07Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling