CVE-2026-43972
Received Received - Intake
Cross-Origin Cookie Injection in Gun HTTP/2

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: EEF

Description
Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority. In gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 Β§10.6 / RFC 9113 Β§8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for. A malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required. This issue affects gun: from 2.0.0 before 2.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-43972
EUVD
EUVD-2026-35073
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ninenines gun From 2.0.0 (inc) to 2.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is an origin validation error in the gun HTTP/2 library's gun_http2 module. It occurs because the :authority pseudo-header from an incoming HTTP/2 PUSH_PROMISE frame is stored without verifying that it matches the connection's origin.

This lack of validation violates HTTP/2 protocol specifications (RFC 7540 and RFC 9113), which require rejecting push promises for resources the server is not authoritative for.

As a result, a malicious or compromised HTTP/2 server can inject cookies scoped to arbitrary third-party domains into the client's cookie store. This enables session fixation attacks and may lead to account takeover if the injected cookie overrides a legitimate session token.

No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required to exploit this vulnerability.

Impact Analysis

This vulnerability can impact you by allowing a malicious or compromised HTTP/2 server to plant cookies for arbitrary third-party domains in your browser's shared cookie store.

Such cookie injection can enable session fixation attacks, where an attacker forces a user to use a known session identifier, potentially allowing the attacker to hijack the user's session.

If the injected cookie overrides a legitimate session token, it may result in account takeover without any user interaction beyond visiting a malicious HTTP/2 server.

Detection Guidance

This vulnerability involves the HTTP/2 PUSH_PROMISE frames containing an :authority pseudo-header that does not match the connection's origin, allowing cross-origin cookie injection.

To detect this vulnerability on your network or system, you should monitor HTTP/2 traffic for PUSH_PROMISE frames where the :authority header differs from the original request's authority.

Commands or tools that can help include using network protocol analyzers like Wireshark or tshark to filter and inspect HTTP/2 PUSH_PROMISE frames.

  • Use tshark to capture HTTP/2 PUSH_PROMISE frames: tshark -Y 'http2.type == 5' -T fields -e http2.push_promise.headers
  • Inspect the :authority pseudo-header in the PUSH_PROMISE frames and compare it to the original request's :authority header.
  • Look for discrepancies indicating that the pushed resource's authority does not match the connection's origin.
Mitigation Strategies

The vulnerability was fixed in gun version 2.4.0 by enforcing strict validation of the :authority pseudo-header in HTTP/2 PUSH_PROMISE frames.

Immediate mitigation steps include:

  • Upgrade the gun library to version 2.4.0 or later, which includes the fix that rejects push promises with mismatched authorities.
  • If upgrading is not immediately possible, consider disabling HTTP/2 server push functionality in your environment to prevent exploitation.
  • Monitor and audit HTTP/2 traffic for suspicious PUSH_PROMISE frames with unexpected :authority headers.
Compliance Impact

The vulnerability violates RFC 7540 Β§10.6 and RFC 9113 Β§8.4 by allowing cross-origin cookie injection without proper origin validation. This can lead to session fixation and potential account takeover by planting cookies scoped to arbitrary third-party domains.

Such unauthorized cookie injection and potential account takeover can compromise user data confidentiality and integrity, which may negatively impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

Therefore, this vulnerability poses a risk to compliance with standards and regulations that mandate strict controls on user session management and data protection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43972. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart