CVE-2026-43974
Received Received - Intake
Unexpected Status Code Handling in gun HTTP Client

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: EEF

Description
Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response. In gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode. A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM. This issue affects gun: from 2.0.0 before 2.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-43974
EUVD
EUVD-2026-35072
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ninenine gunc to 2.4.0 (exc)
ninenine gunc From 2.0.0 (inc)
ninenines gun From 2.0.0 (inc) to 2.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-841 The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows a malicious HTTP server to force the client into raw protocol mode by sending an unsolicited 101 Switching Protocols response without proper validation. This can lead to denial of service by exhausting the BEAM VM's memory and crashing the system.

While the vulnerability impacts system stability and availability, there is no direct information provided about its effects on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects the gun HTTP/1.1 client library used in the Erlang ecosystem, specifically versions from 2.0.0 to before 2.4.0.

A malicious HTTP server can send an unsolicited 101 Switching Protocols response to the client. The gun client does not properly verify whether the client actually requested an upgrade before accepting this response.

Because of this, the client switches to raw protocol mode unexpectedly, abandoning normal HTTP framing. In raw mode, the client applies no flow control and forwards all received data to the owner process without limits.

This allows the malicious server to flood the client with arbitrary data, exhausting the client's mailbox and BEAM virtual machine memory, which can ultimately crash the VM.

Impact Analysis

If you use the affected versions of the gun HTTP client, a malicious or compromised HTTP server can exploit this vulnerability to crash your application.

By sending unsolicited 101 Switching Protocols responses, the server can cause your client to enter raw protocol mode and flood it with unbounded data.

This flooding exhausts the BEAM VM's memory and mailbox capacity, leading to a denial of service through application crashes.

Detection Guidance

This vulnerability can be detected by monitoring HTTP/1.1 client connections for unsolicited 101 Switching Protocols responses from servers, especially when the client did not request an upgrade.

You can inspect network traffic using tools like tcpdump or Wireshark to capture HTTP responses and check for unexpected 101 status codes without corresponding Upgrade headers in the requests.

  • Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443'
  • Filter captured traffic for HTTP 101 responses: grep 'HTTP/1.1 101 Switching Protocols'
  • Analyze client requests to verify if they included Upgrade headers before the 101 response.

Additionally, monitoring the application logs for unexpected protocol switches or crashes in the BEAM VM may indicate exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade the gun HTTP client library to version 2.4.0 or later, where the vulnerability is fixed.

The fix ensures that the client rejects unsolicited 101 Switching Protocols responses unless an upgrade was explicitly requested, preventing the client from switching to raw protocol mode unexpectedly.

Until the upgrade is applied, consider implementing network-level controls to block or monitor suspicious 101 responses from untrusted servers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43974. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart