CVE-2026-32881

Name of the Vulnerable Software and Affected Versions ewe versions 0.6.0 through 3.0.4

Description ewe, a Gleam web server, is susceptible to authentication bypass and spoofed proxy-trust headers. The server's handling of chunked transfer encoding trailers merges declared trailer fields into request headers after body parsing. However, the denylist only blocks nine header names. A malicious client can exploit this by declaring headers in the Trailer field and appending them after the final chunk, causing request.set header to overwrite legitimate values. This allows attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in downstream middleware that reads headers after ewe.read body is called. The issue stems from the handle trailers function (ewe/internal/http1.gleam:493) which uses request.set header (line 517) and a limited denylist (line 534). Security-sensitive headers like authorization, cookie, proxy-authorization, x-forwarded-for, x-forwarded-host, x-forwarded-proto, and x-real-ip are not blocked and can be injected or overwritten. A proof of concept demonstrates injecting or overwriting headers such as authorization and x-forwarded-for using crafted HTTP requests with the Trailer header.

Recommendations Versions 0.6.0 through 3.0.4 are affected and should be updated to version 3.0.5 or later. Expand the denylist in the is forbidden trailer function to include authorization, cookie, set-cookie, proxy-authorization, x-forwarded-for, x-forwarded-host, x-forwarded-proto, and x-real-ip. Alternatively, switch to an allowlist model that only permits explicitly safe trailer field names.