EEF-CVE-2026-43972

See a problem?
Please try reporting it to the source first.
Source
https://cna.erlef.org/osv/EEF-CVE-2026-43972.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2026-43972.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2026-43972
Aliases
  • CVE-2026-43972
Published
2026-06-08T14:12:38.780Z
Modified
2026-06-08T16:34:45.350Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection
Details

Summary

Origin Validation Error vulnerability in ninenines gun (gunhttp2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSHPROMISE authority.

In gunhttp2:pushpromiseframe/7, the :authority pseudo-header from an incoming PUSHPROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gunhttp2:headersframe/9 later processes the response headers for the promised stream, it calls guncookies:setcookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.

A malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.

This issue affects gun: from 2.0.0 before 2.4.0.

Configuration

The vulnerability is exploitable only when gun is configured with a cookie_store and connects to an HTTP/2 server with server push enabled.

Database specific 
{
    "cpe_ids": [
        "cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-61"
    ],
    "cwe_ids": [
        "CWE-346"
    ]
}
References
Credits
    • Peter Ullrich - FINDER
    • Loïc Hoguin - REMEDIATION_DEVELOPER

Affected packages

Hex / gun

Package

Name
gun
Purl
pkg:hex/gun

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.4.0

Affected versions

2.*
2.0.0
2.0.1
2.1.0
2.2.0
2.3.0

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-43972.json"

Git / github.com/ninenines/gun.git

Affected ranges

Type
GIT
Repo
https://github.com/ninenines/gun.git
Events
Introduced
871989eef53663285c165fdfb83a5918ebe00d41
Fixed
567863ff53802fed21c3b3f25812db7f7ae29676

Affected versions

2.*
2.0.0
2.0.0-pre.1
2.0.0-pre.2
2.0.0-rc.1
2.0.0-rc.2
2.0.1
2.1.0
2.2.0
2.3.0

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-43972.json"