20 matches found
CVE-2026-34715
ewe is a Gleam web server. Prior to version 3.0.6, the encodeheaders function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF \r\n sequences. An application that passes user-controlled data into...
CVE-2026-34715
Vulnerability: ewe (Gleam web server) prior to 3.0.6 allows HTTP header injection via encode_headers in src/ewe/internal/encoder.gleam. The function directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF sequences, so user-controlled data (e...
CVE-2026-34715 ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)
ewe is a Gleam web server. Prior to version 3.0.6, the encodeheaders function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF \r\n sequences. An application that passes user-controlled data into...
CVE-2026-34715
ewe is a Gleam web server. Prior to version 3.0.6, the encodeheaders function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF \r\n sequences. An application that passes user-controlled data into...
ewe 注入漏洞
ewe is a lightweight web server build package developed by Vladislav Shakitskiy. Versions of ewe prior to 3.0.6 contained an injection vulnerability. This vulnerability stemmed from the encodeheaders function not verifying or stripping CRLF sequences, which could lead to response splitting, cache...
CVE-2026-32881
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9...
CVE-2026-32873
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handletrailers function where rejected trailer headers forbidden or undeclared cause an infinite loop. When handletrailers encounters such a trailer, three code paths lines 520, 523, 526 recurse with the original buffer...
CVE-2026-32881
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9...
CVE-2026-32873
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handletrailers function where rejected trailer headers forbidden or undeclared cause an infinite loop. When handletrailers encounters such a trailer, three code paths lines 520, 523, 526 recurse with the original buffer...
CVE-2026-32881
Summary: CVE-2026-32881 affects the Gleam web server “ewe.” Versions 0.6.0–3.0.4 are vulnerable to an authentication bypass and header spoofing due to how trailer headers are merged into req.headers after body parsing. The denylist in the trailer handling only blocks nine header names, allowing a...
CVE-2026-32881 ewe has an Overly Permissive List of Allowed Inputs
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9...
CVE-2026-32881
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9...
CVE-2026-32881 ewe has an Overly Permissive List of Allowed Inputs
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9...
CVE-2026-32881 ewe has an Overly Permissive List of Allowed Inputs
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9...
CVE-2026-32873 ewe: Loop with Unreachable Exit Condition ('Infinite Loop')
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handletrailers function where rejected trailer headers forbidden or undeclared cause an infinite loop. When handletrailers encounters such a trailer, three code paths lines 520, 523, 526 recurse with the original buffer...
CVE-2026-32873 ewe: Loop with Unreachable Exit Condition ('Infinite Loop')
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handletrailers function where rejected trailer headers forbidden or undeclared cause an infinite loop. When handletrailers encounters such a trailer, three code paths lines 520, 523, 526 recurse with the original buffer...
CVE-2026-32873
CVE-2026-32873 affects the Gleam-based web server ewe (versions 0.8.0–3.0.4). The bug in handle_trailers causes an infinite loop when encountering rejected trailers by recursively re-parsing the same header (using rest) instead of advancing past it (Buffer(header_rest, 0)). This leads to a perman...
ewe 安全漏洞
ewe is a lightweight web server build package developed by Vladislav Shakitskiy. Versions of ewe 3.0.4 and earlier contained security vulnerabilities, which stemmed from improper handling of the chunk transfer encoding at the end of the transmission. These vulnerabilities could lead to...
ewe 安全漏洞
ewe is a lightweight web server build package developed by Vladislav Shakitskiy. Versions of ewe 3.0.4 and earlier contained security vulnerabilities; these vulnerabilities stemmed from an infinite loop in the handletrailers function, which could lead to a denial-of-service attack...
Loop with Unreachable Exit Condition ('Infinite Loop') in ewe
Summary ewe's handletrailers function contains a bug where rejected trailer headers forbidden or undeclared cause an infinite loop. The function recurses with the original unparsed buffer instead of advancing past the rejected header, re-parsing the same header forever. Each malicious request...