CVE-2026-43973: gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion
Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering. In gun_http:handle/5, three clauses accumulate incoming TCP data into the connection's buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \r\n\r\n header terminator is found; the body_chunked clause appends data whenever cow_http_te:stream_chunked/2 returns a more result indicating an incomplete chunk boundary; and the body_trailer clause appends data until the trailing \r\n\r\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size. A malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\r\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash. This issue affects gun: from 1.0.0 before 2.4.0.
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- 2.4.0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
Uncontrolled resource consumption in the ninenines gun HTTP client library (gun_http module) allows a malicious or compromised server to exhaust the memory of any Erlang node running a gun connection. The vulnerability is reachable over the network with no authentication required on the client side, because the attacker controls the server end of the connection. Successful exploitation crashes the entire BEAM node by exhausting available heap memory, taking down every process running on it. A patched-image rebuild at version 2.4.0 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in both registries and CI/CD pipelines, including custom-built images that bundle the gun library directly. Any image layer containing a gun release from 1.0.0 through 2.3.x is flagged automatically.
AvailableHarborGuard is capable of scoring this finding at CVSS 8.7 (HIGH, v4.0) and weighting it against each environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild pinned to gun 2.4.0 (commit f3e7e0568b3c4cf9fa4bea79d5116e67ce76ad25) is available on HarborGuard for any image found running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must operate a server reachable over the network that the gun client connects to; the malicious payload is delivered as an HTTP response over that connection.
- AuthenticationNot required
No credentials are needed on the client side; the attacker only needs the gun client to open a connection to a server they control.
- Victim interactionNot required
No user action is needed beyond the application making an outbound HTTP request, which is normal application behavior.
- Attack complexityDetail
Exploitation is reliable and condition-free; sending a partial HTTP response that never terminates is sufficient to trigger unbounded buffer growth.
Blast Radius
- The BEAM node running the gun client process exhausts all available system memory and crashes, terminating every Erlang process on the node.
- All in-flight requests and active connections sharing the node are dropped without clean shutdown.
- Any application state held only in memory (session data, in-progress work queues, caches) is lost at the moment of the out-of-memory crash.
- Downstream services depending on the crashed node lose connectivity until the node is restarted and reconnects.
How HarborGuard Handles This
Available on HarborGuard: any image containing gun 1.0.0 through 2.3.x is matched against this CVE within minutes of advisory ingestion, across both registry scans and pipeline checks. A rebuilt image at gun 2.4.0 becomes available immediately upon detection. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes regression tests, and opens a pull request against affected workloads automatically; median time from publication to merged PR for high-severity findings is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced in the triage queue with the fix version and commit hash (f3e7e0568b3c4cf9fa4bea79d5116e67ce76ad25) cited for manual action. As a compensating control while a rebuild is being prepared, consider applying network policy to restrict which server endpoints the affected service is permitted to connect to, reducing exposure to attacker-controlled servers that could serve a malicious response.
- ninenines / gun< 2.4.0 (from 1.0.0)
- ninenines / gun< f3e7e0568b3c4cf9fa4bea79d5116e67ce76ad25 (from 11dfe71f4b9aedaaedea2ad3b2f32fd006a8480f)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N