Description
Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.

The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.

This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4.

This issue affects cowlib: from 0.6.0 before 2.16.1.
Published: 2026-05-11
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unbounded hexadecimal digits in the chunk-size field of HTTP/1.1 chunked transfer-encoding allow an unauthenticated attacker to send a request that forces the cow_http_te parser to perform O(N²) CPU work and O(N) memory allocation per digit, escalating to O(N³) when the input is split across multiple reads. As a result, a malicious attacker can exhaust CPU resources and inflate memory usage, leading to denial of service. This is a classic uncontrolled resource consumption flaw (CWE‑400).

Affected Systems

This vulnerability is present in the cowlib library supplied by nine-nines (ninenines). Versions ranging from 0.6.0 up to, but not including, 2.16.1 are affected. cowlib is commonly bundled with the Cowboy HTTP server in Erlang and Elixir applications, so any deployment that utilizes Cowboy with an older cowlib version is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, while no EPSS value is available, so the current exploitation probability is unknown. The issue is not listed in the CISA KEV catalog, meaning there are no publicly documented active exploits at the time of this report. An attacker would need only to craft a single HTTP/1.1 request with a Transfer‑Encoding: chunked header containing an extremely long hexadecimal chunk-size sequence. Because the vulnerability does not require authentication, it can be triggered from anywhere on a network that the server accepts requests from. In practice, the impact is limited to service availability; however, the high resource consumption could affect other processes on the same host under heavy load.

Generated by OpenCVE AI on May 11, 2026 at 19:22 UTC.

Remediation

Vendor Workaround

In Cowboy, setting initial_stream_flow_size to a much lower value limits the amount of chunked body data that cowlib will parse in a single read, reducing the window of data an attacker can use to trigger the quadratic work. This does not fully eliminate the vulnerability but can significantly reduce its impact for some applications.

OpenCVE Recommended Actions

  • Upgrade cowlib to version 2.16.1 or later to eliminate the vulnerability.
  • In Cowboy applications set initial_stream_flow_size to a lower value to limit the amount of chunked body data parsed in a single read, mitigating the impact if an upgrade cannot be performed immediately.
  • Pin the cowlib dependency to a specific, non‑vulnerable release and verify that your build system is using the patched version.

Generated by OpenCVE AI on May 11, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.
Title Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS
First Time appeared Ninenines
Ninenines cowlib
Weaknesses CWE-400
CPEs cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*
Vendors & Products Ninenines
Ninenines cowlib
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ninenines Cowlib
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-11T18:56:31.426Z

Reserved: 2026-05-04T18:23:21.380Z

Link: CVE-2026-7790

cve-icon Vulnrichment

Updated: 2026-05-11T18:56:27.213Z

cve-icon NVD

Status : Received

Published: 2026-05-11T19:16:29.477

Modified: 2026-05-11T19:16:29.477

Link: CVE-2026-7790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T19:30:06Z

Weaknesses