{"affected":[{"package":{"ecosystem":"Hex","name":"gun","purl":"pkg:hex/gun"},"ranges":[{"events":[{"introduced":"2.0.0"},{"fixed":"2.4.0"}],"type":"SEMVER"}],"versions":["2.0.0","2.0.1","2.1.0","2.2.0","2.3.0"]},{"ranges":[{"events":[{"introduced":"a3c2edbb8c807717e2f10520c6cf1e77a62eab2e"},{"fixed":"5b48068c29ce5e112cb149b5857c7d4dc319a81b"}],"repo":"https://github.com/ninenines/gun.git","type":"GIT"}]}],"aliases":["CVE-2026-43974"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Loïc Hoguin","type":"REMEDIATION_DEVELOPER"}],"database_specific":{"capec_ids":["CAPEC-220","CAPEC-130"],"cpe_ids":["cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-841"]},"details":"## Summary\n\nUnexpected Status Code or Return Value vulnerability in ninenines gun (gun\\_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.\n\nIn gun\\_http:handle\\_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun\\_upgrade message to the caller and transition the entire connection to raw protocol mode.\n\nA malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun\\_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun\\_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.\n\nThis issue affects gun: from 2.0.0 before 2.4.0.","id":"EEF-CVE-2026-43974","modified":"2026-06-08T16:34:38.989Z","published":"2026-06-08T14:12:36.957Z","references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-43974.html"},{"type":"FIX","url":"https://github.com/ninenines/gun/commit/5b48068c29ce5e112cb149b5857c7d4dc319a81b"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM","upstream":[]}