Description
Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.

In gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode.

A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.

This issue affects gun: from 2.0.0 before 2.4.0.
Published: 2026-06-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The gun HTTP/1.1 client contains a flaw where it accepts an unsolicited 101 Switching Protocols response without verifying that the original request requested an upgrade or that the Connection header specified upgrade. As a result, any server that sends a 101 response—whether or not it was requested—causes the client to transition the entire connection into raw protocol mode. In raw mode the client forwards all received bytes as unbounded gun_data messages with infinite flow control, exhausting the owning process’s mailbox and BEAM memory until the virtual machine crashes. This vulnerability is a classic example of CWE‑841, improper handling of protocol upgrade headers, and leads to resource exhaustion rather than traditional remote code execution.

Affected Systems

The issue affects the non‑nine‑s, gun HTTP/1.1 client library. Versions from 2.0.0 up to, but not including, 2.4.0 are impacted. Users running any of those releases on their applications or services that act as HTTP clients are potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.7 classifies this flaw as High, indicating significant impact and a substantial attack surface. Exploitation requires a remote actor capable of serving HTTP traffic to the vulnerable client. While EPSS data is not available, the high CVSS combined with the possibility for the attacker to send arbitrary payloads after hijacking the connection suggests a non‑negligible risk of exploitation. The vulnerability is not currently listed in the CISA KEV catalog, but the combination of an unverified protocol upgrade and unlimited memory usage makes it a prime target for denial of service campaigns.

Generated by OpenCVE AI on June 8, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the gun library to version 2.4.0 or later, which contains a fix for the unverified upgrade check.
  • If an upgrade is not immediately possible, configure the client or server to reject any unsolicited 101 Switching Protocols responses, ensuring that only server‑sent responses that match a prior upgrade request are honored.
  • If neither an upgrade nor a configuration change is feasible, limit the BEAM VM memory usage and process mailbox size (e.g., via system limits or application‑level memory caps) to reduce the impact of potential unbounded data flooding.

Generated by OpenCVE AI on June 8, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response. In gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode. A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM. This issue affects gun: from 2.0.0 before 2.4.0.
Title gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM
First Time appeared Ninenines
Ninenines gun
Weaknesses CWE-841
CPEs cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*
Vendors & Products Ninenines
Ninenines gun
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ninenines Gun
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-08T16:34:38.989Z

Reserved: 2026-05-04T18:23:25.574Z

Link: CVE-2026-43974

cve-icon Vulnrichment

Updated: 2026-06-08T15:41:45.967Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T15:16:46.870

Modified: 2026-06-09T15:20:13.097

Link: CVE-2026-43974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:57:09Z

Weaknesses