{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32873", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.419Z", "datePublished": "2026-03-20T01:13:39.665Z", "dateUpdated": "2026-03-20T18:08:59.660Z"}, "containers": {"cna": {"title": "ewe: Loop with Unreachable Exit Condition ('Infinite Loop')", "problemTypes": [{"descriptions": [{"cweId": "CWE-825", "lang": "en", "description": "CWE-825: Expired Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp"}, {"name": "https://github.com/vshakitskiy/ewe/commit/8513de9dcdd0005f727c0f6f15dd89f8d626f560", "tags": ["x_refsource_MISC"], "url": "https://github.com/vshakitskiy/ewe/commit/8513de9dcdd0005f727c0f6f15dd89f8d626f560"}, {"name": "https://github.com/vshakitskiy/ewe/commit/d8b9b8a86470c0cb5696647997c2f34763506e37", "tags": ["x_refsource_MISC"], "url": "https://github.com/vshakitskiy/ewe/commit/d8b9b8a86470c0cb5696647997c2f34763506e37"}], "affected": [{"vendor": "vshakitskiy", "product": "ewe", "versions": [{"version": ">= 0.8.0, < 3.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:13:39.665Z"}, "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape \u2014 the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5."}], "source": {"advisory": "GHSA-4w98-xf39-23gp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:56:22.137229Z", "id": "CVE-2026-32873", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:08:59.660Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32873", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T16:56:22.137229Z"}}}], "references": [{"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:56:32.878Z"}}], "cna": {"title": "ewe: Loop with Unreachable Exit Condition ('Infinite Loop')", "source": {"advisory": "GHSA-4w98-xf39-23gp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "vshakitskiy", "product": "ewe", "versions": [{"status": "affected", "version": ">= 0.8.0, < 3.0.5"}]}], "references": [{"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp", "name": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vshakitskiy/ewe/commit/8513de9dcdd0005f727c0f6f15dd89f8d626f560", "name": "https://github.com/vshakitskiy/ewe/commit/8513de9dcdd0005f727c0f6f15dd89f8d626f560", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vshakitskiy/ewe/commit/d8b9b8a86470c0cb5696647997c2f34763506e37", "name": "https://github.com/vshakitskiy/ewe/commit/d8b9b8a86470c0cb5696647997c2f34763506e37", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape \u2014 the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-825", "description": "CWE-825: Expired Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:13:39.665Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32873", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:08:59.660Z", "dateReserved": "2026-03-16T21:03:44.419Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T01:13:39.665Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*", "matchCriteriaId": "9825AC91-47D7-4F40-A582-AB13FF203293", "versionEndExcluding": "3.0.5", "versionStartIncluding": "0.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape \u2014 the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5."}, {"lang": "es", "value": "ewe es un servidor web Gleam. Las versiones 0.8.0 a 3.0.4 contienen un error en la funci\u00f3n handle_trailers donde los encabezados de tr\u00e1iler rechazados (prohibidos o no declarados) causan un bucle infinito. Cuando handle_trailers encuentra un tr\u00e1iler de este tipo, tres rutas de c\u00f3digo (l\u00edneas 520, 523, 526) recursan con el b\u00fafer original (rest) en lugar de avanzar m\u00e1s all\u00e1 del encabezado rechazado (Buffer(header_rest, 0)), lo que provoca que decoder.decode_packet vuelva a analizar el mismo encabezado en cada iteraci\u00f3n. El bucle resultante no tiene tiempo de espera ni escape \u2014 el proceso BEAM se atasca permanentemente al 100% de CPU. Cualquier aplicaci\u00f3n que llama a ewe.read_body en solicitudes fragmentadas se ve afectada, y esto es explotable por cualquier cliente remoto no autenticado antes de que el control regrese al c\u00f3digo de la aplicaci\u00f3n, lo que hace imposible una soluci\u00f3n alternativa a nivel de aplicaci\u00f3n. Este problema est\u00e1 solucionado en la versi\u00f3n 3.0.5."}], "id": "CVE-2026-32873", "lastModified": "2026-04-16T13:27:24.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:35.540", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vshakitskiy/ewe/commit/8513de9dcdd0005f727c0f6f15dd89f8d626f560"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vshakitskiy/ewe/commit/d8b9b8a86470c0cb5696647997c2f34763506e37"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-825"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.8.0,3.0.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ewe", "source": "cna", "vendor": "vshakitskiy"}, "product": "ewe", "vendor": "vshakitskiy"}], "analysis": {"en": {"generated_at": "2026-04-17T11:30:09.553913+00:00", "value": {"mitigation_remediation": ["Upgrade ewe to version 3.0.5 or newer", "Configure any reverse proxy or load balancer to strip or reject HTTP requests that contain trailer headers or disable chunked transfer encoding for the affected endpoints", "Monitor the BEAM process\u2019s CPU usage and set up an automatic restart or graceful kill if usage stays above a threshold (e.g.,\u00a090\u00a0%) to ensure the service can recover while at risk."], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is the Gleam web server named ewe, produced by vshakitskiy. Vulnerable releases include all versions from 0.8.0 up to and including 3.0.4. Any deployment that uses ewe.read_body to handle chunked requests and exposes a public HTTP endpoint is affected. The bug resides in the handle_trailers function, so any server configured to support chunked transfer encoding is at risk.", "description_and_impact": "The eave server processes HTTP chunked requests with a function that parses trailer headers. In versions 0.8.0 through 3.0.4, if an attacker includes a forbidden or undeclared trailer header, the parsing logic recurses with the same buffer rather than advancing, creating an infinite loop. The core VM running the server, BEAM, then consumes 100\u00a0% of CPU indefinitely, causing the process to become permanently unresponsive. This flaw, classified as CWE\u2011825 and CWE\u2011835, results in a denial of service. Because the loop is triggered before application code runs, any unauthenticated remote client can provoke the effect; no application\u2011level mitigation can prevent it.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.5, indicating high severity, and an EPSS score of less than 1\u202f%, suggesting low but non\u2011zero exploitation probability. It is not listed in the CISA KEV catalog. An attacker can trigger the denial of service by sending an unauthenticated HTTP request containing a forbidden or undeclared trailer header in a chunked payload. The BEAM process will then enter a permanent, non\u2011timeout loop, maintaining 100\u202f% CPU usage until the process is manually restarted or terminated. Because the attack occurs before the application code is executed, it cannot be mitigated by application\u2011level controls."}}}}, "created": "2026-03-20T08:53:39.754284+00:00", "updated": "2026-04-17T11:30:17.006876+00:00", "vendors": ["vshakitskiy", "vshakitskiy$PRODUCT$ewe"]}