CVE-2026-32873

Name of the Vulnerable Software and Affected Versions ewe versions 0.8.0 through 3.0.4

Description ewe, a Gleam web server, is affected by an issue in the handle trailers function. When encountering rejected trailer headers (those that are forbidden or undeclared), the function enters an infinite loop. This occurs because the function recurses using the original buffer instead of advancing past the rejected header. The loop has no timeout or escape mechanism, causing the BEAM process to become permanently wedged at 100% CPU utilization. Any application utilizing ewe.read body on chunked requests is susceptible to this issue, and it can be exploited by any unauthenticated remote client. The issue is triggered before control returns to application code, preventing application-level workarounds. A proof of concept involves sending a chunked request with a forbidden trailer, such as 'host', which causes the server to hang. Concurrent requests can exhaust server resources, leading to stuck processes with continuously increasing reduction counts. The vulnerable code resides within the handle trailers function, specifically in the False/Error branches where the original buffer is incorrectly used for recursion.

Recommendations Versions prior to 3.0.5 are vulnerable. Update to version 3.0.5 or later to resolve the issue.