{"affected":[{"package":{"ecosystem":"Hex","name":"gun","purl":"pkg:hex/gun"},"ranges":[{"events":[{"introduced":"2.0.0"},{"fixed":"2.4.0"}],"type":"SEMVER"}],"versions":["2.0.0","2.0.1","2.1.0","2.2.0","2.3.0"]},{"ranges":[{"events":[{"introduced":"871989eef53663285c165fdfb83a5918ebe00d41"},{"fixed":"567863ff53802fed21c3b3f25812db7f7ae29676"}],"repo":"https://github.com/ninenines/gun.git","type":"GIT"}]}],"aliases":["CVE-2026-43972"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Loïc Hoguin","type":"REMEDIATION_DEVELOPER"}],"database_specific":{"capec_ids":["CAPEC-61"],"cpe_ids":["cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-346"]},"details":"## Summary\n\nOrigin Validation Error vulnerability in ninenines gun (gun\\_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH\\_PROMISE authority.\n\nIn gun\\_http2:push\\_promise\\_frame/7, the :authority pseudo-header from an incoming PUSH\\_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gun\\_http2:headers\\_frame/9 later processes the response headers for the promised stream, it calls gun\\_cookies:set\\_cookie\\_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.\n\nA malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.\n\nThis issue affects gun: from 2.0.0 before 2.4.0.\n\n## Configuration\n\nThe vulnerability is exploitable only when gun is configured with a cookie\\_store and connects to an HTTP/2 server with server push enabled.","id":"EEF-CVE-2026-43972","modified":"2026-06-08T16:34:45.350Z","published":"2026-06-08T14:12:38.780Z","references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-43972.html"},{"type":"FIX","url":"https://github.com/ninenines/gun/commit/567863ff53802fed21c3b3f25812db7f7ae29676"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N","type":"CVSS_V4"}],"summary":"gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection","upstream":[]}