Loïc Hoguin

**Name of the Vulnerable Software and Affected Versions** cowlib versions 2.9.0 and later **Description** Improper neutralization of CRLF sequences in HTTP headers allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. The function `escape string/2` in `cow http struct hd` only escapes backslashes and double quotes, passing other bytes verbatim. This creates an asymmetry where the parser accepts only printable ASCII, but the encoder emits any byte, including Carriage Return (CR) and Line Feed (LF). An application building a structured HTTP header via `item/1` in `cow http struct hd` (or wrappers like `wt protocol/1` in `cow http hd`) using attacker-controlled input can have CRLF sequences injected. These sequences terminate the current header, causing subsequent bytes to be interpreted as a new header. **Recommendations** For versions 2.9.0 and later, validate all values passed into structured-fields header builders, such as `item/1` in `cow http struct hd`, and reject any values containing CR or LF bytes or those not from a trusted source. As a temporary mitigation, restrict the use of attacker-controlled data within the `item/1` function of `cow http struct hd`.

**Name of the Vulnerable Software and Affected Versions** ninenines gun versions 2.0.0 through 2.3.x **Description** An origin validation error in the `gun http2` module allows cross-origin cookie injection through an unvalidated HTTP/2 PUSH PROMISE authority. In the `push promise frame()` function, the `:authority` pseudo-header from an incoming PUSH PROMISE frame is stored in the promised stream record without verifying that it matches the connection origin. Subsequently, the `headers frame()` function calls `set cookie header()` using this unvalidated authority. This behavior violates protocol standards that require receivers to treat pushes for resources the server is not authoritative for as protocol errors. A malicious or compromised HTTP/2 server can use this to plant cookies for arbitrary third-party domains in the client's shared cookie store, potentially leading to session fixation or account takeover. This is exploitable when the software is configured with a `cookie store` and connects to an HTTP/2 server with server push enabled. **Recommendations** Update to version 2.4.0 or later. As a temporary mitigation, avoid connecting to HTTP/2 servers with server push enabled or disable the `cookie store` configuration.

**Name of the Vulnerable Software and Affected Versions** ninenines gun versions 1.0.0 through 2.3.x **Description** Uncontrolled Resource Consumption in the `gun http` module allows a malicious server to exhaust client memory through unbounded HTTP/1.1 response buffering. In the `handle()/5` function, three clauses accumulate incoming TCP data into the connection's buffer using binary concatenation without an upper-bound check. Specifically, the head clause appends data until the header terminator is found, the `body chunked` clause appends data when `cow http te:stream chunked()/2` indicates an incomplete chunk boundary, and the `body trailer` clause appends data until the trailing terminator is found. If the expected terminator never arrives, the binary grows indefinitely in the state. A malicious server can exploit this by sending a partial response that never completes, leading to unbounded heap growth. Since BEAM does not impose per-process heap limits by default, a single connection can exhaust all available memory on the node, resulting in a node-wide out-of-memory crash. **Recommendations** Update to version 2.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** gun versions 2.0.0 through 2.3.x **Description** An issue in the `gun http` module allows a malicious HTTP server to force a client into raw protocol mode by sending an unsolicited 101 Switching Protocols response. In the `handle inform/8` function, the software verifies the syntax of the Upgrade header and the stream reference but fails to check if the client actually requested an upgrade via Upgrade or Connection: upgrade headers. Consequently, any 101 response triggers a `gun upgrade` message and transitions the connection to raw protocol mode. In this mode, `gun raw` disables flow control and re-arms socket active mode after every packet, enabling a server to flood the client with arbitrary bytes. These are forwarded as unbounded `gun data` messages, which can exhaust the owner process mailbox and BEAM memory, leading to a virtual machine crash. **Recommendations** Update to version 2.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** cowboy versions 2.0.0 through 2.14.x **Description** An issue in multipart header parsing allows an unauthenticated attacker to cause a denial of service via unbounded buffer accumulation. The function `read part()` in `src/cowboy req.erl` accumulates incoming request bytes into a Buffer binary without an upper-bound check. When `parse headers()` returns more data, the function continues to read and recurse with an enlarged buffer. By sending a `multipart/form-data` request that never yields a complete header section—such as one missing the boundary delimiter or the ` ` sequence—an attacker can force the server to accumulate memory linearly, potentially exhausting BEAM memory with a few concurrent uploads. This occurs when an HTTP endpoint calls `read part/1,2` to process request bodies. **Recommendations** Update to version 2.15.0 or later. As a temporary workaround, restrict access to endpoints that process `multipart/form-data` request bodies using the `read part()` function.

**Name of the Vulnerable Software and Affected Versions** cowlib versions 0.1.0 through 2.16.0 **Description** Improper handling of highly compressed data leads to data amplification, allowing an unauthenticated remote actor to cause a denial of service via memory exhaustion. The `cow spdy:inflate/2` function passes compressed bytes from a peer to `zlib:inflate/2` without an output size bound. Because the SPDY header compression dictionary (`?ZDICT`) is public and zlib can compress repeated bytes at a ratio of approximately 1024:1, a small SPDY frame payload can decompress into gigabytes on the BEAM heap, resulting in an Out-Of-Memory (OOM) condition that kills the node. This condition can be triggered by a single unauthenticated SPDY frame. The `cow spdy:parse headers/2` function affects the parsers for `syn stream`, `syn reply`, and `headers` frame types. This issue specifically impacts applications that use `cow spdy:parse/2` to parse SPDY frames from untrusted peers. **Recommendations** Update to version 2.16.1 or later. As a temporary mitigation, restrict the use of the `cow spdy:parse/2` function when handling data from untrusted peers.

**Name of the Vulnerable Software and Affected Versions** cowlib versions 2.6.0 and later **Description** Improper Neutralization of CRLF Sequences (CRLF Injection) allows SSE event splitting and injection through unvalidated field values. The `cow sse:event/1` function guards the `id` and `event` fields against ` ` but not against `r`, while the internal `prefix lines/2` function used for data and comment fields only splits on ` `. Since the SSE specification treats `r `, `r`, and ` ` as equivalent line terminators, an attacker controlling these fields can inject additional SSE lines to forge events with arbitrary types and data payloads. In environments where browser EventSource clients or other SSE consumers render `event.data` or dispatch on `event.type`, this can lead to client-side logic manipulation and stored-XSS-equivalent behavior when data is inserted into the DOM. **Recommendations** For versions 2.6.0 and later, sanitize user-controlled values before passing them to `cow sse:event/1` by rejecting or stripping any value containing `r` or ` ` characters in the `id`, `event`, `data`, and `comment` fields. Ensure all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.

**Name of the Vulnerable Software and Affected Versions** cowlib versions 0.6.0 through 2.16.0 **Description** An uncontrolled resource consumption issue in the `cow http te` module allows for excessive allocation. The chunked transfer-encoding parser accepts an unbounded number of hex digits in the chunk-size field. Each digit triggers a bignum multiplication, resulting in O(N²) CPU work and O(N) memory usage for N hex digits. When input is drip-fed, the parser discards accumulated length on partial reads and restarts, increasing the cost to O(N³). An unauthenticated remote attacker can cause a denial of service via CPU exhaustion and memory amplification by sending an HTTP/1.1 request with `Transfer-Encoding: chunked` and an excessively long chunk-size hex string. This issue is associated with the file `src/cow http te.erl` and the functions `cow http te:stream chunked/2` and `cow http te:chunked len/4`. **Recommendations** Update to version 2.16.1. In Cowboy, set `initial stream flow size` to a significantly lower value to limit the amount of chunked body data parsed in a single read, reducing the impact of the resource consumption.