CVE-2026-32873
Received Received - Intake
Infinite Loop Vulnerability in ewe Web Server Causes CPU Hang

Publication date: 2026-03-20

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape β€” the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32873
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vshakitskiy ewe From 0.8.0 (inc) to 3.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32873 is a vulnerability in the Gleam web server called ewe, affecting versions 0.8.0 through 3.0.4. The issue lies in the handle_trailers function, which processes HTTP trailer headers in chunked requests. When the function encounters trailer headers that are forbidden or undeclared, it incorrectly recurses with the original unparsed buffer instead of advancing past the rejected header. This causes the same header to be re-parsed repeatedly, resulting in an infinite loop.

This infinite loop causes the BEAM process to wedge at 100% CPU usage with no timeout or escape, effectively causing a denial of service. The vulnerability is exploitable remotely by any unauthenticated client sending specially crafted chunked HTTP requests with forbidden trailers, and no application-level workaround exists because the issue occurs before control returns to application code.

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition by making the server process enter an infinite loop at 100% CPU usage. This effectively wedges the process, making it unresponsive and exhausting server resources.

Since the vulnerability is exploitable remotely by unauthenticated attackers, it can be triggered by sending specially crafted chunked HTTP requests with forbidden trailer headers. This can lead to service outages or degraded performance, impacting availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability causes the affected ewe server process to enter an infinite loop when processing chunked HTTP requests with forbidden or undeclared trailer headers, resulting in 100% CPU usage and the server process hanging indefinitely.'}, {'type': 'paragraph', 'content': 'Detection can be performed by monitoring server processes for unusually high CPU usage, especially when handling chunked HTTP requests.'}, {'type': 'paragraph', 'content': "Additionally, sending crafted chunked HTTP requests containing forbidden trailer headers (such as 'host') can be used as a proof of concept to detect the vulnerability by observing if the server process hangs or consumes excessive CPU."}, {'type': 'paragraph', 'content': 'Example command to test the vulnerability (using curl with chunked transfer encoding and forbidden trailer headers) could be constructed, but specific commands are not provided in the available resources.'}] [3]

Mitigation Strategies

The vulnerability is fixed in ewe version 3.0.5. The immediate and recommended mitigation is to upgrade the ewe web server to version 3.0.5 or later.

No application-level workaround exists because the infinite loop occurs inside the read_body function before control returns to application code.

Until the upgrade is applied, monitoring and limiting incoming chunked HTTP requests with trailer headers from untrusted sources may help reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart