Description

ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape — the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.

INFO

Published Date :

2026-03-20T01:13:39.665Z

Last Modified :

2026-03-20T18:08:59.660Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32873 vulnerability.

Vendors Products
Vshakitskiy
  • Ewe
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32873.

URL Resource
https://github.com/vshakitskiy/ewe/commit/8513de9dcdd0005f727c0f6f15dd89f8d626f560 cve-icon cve-icon
https://github.com/vshakitskiy/ewe/commit/d8b9b8a86470c0cb5696647997c2f34763506e37 cve-icon cve-icon
https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact