The vulnerability arises because gun_http2:push_promise_frame/7 stores the :authority pseudo-header from incoming PUSH_PROMISE frames without validating that it matches the connection's origin. Later, when processing response headers for the promised stream, gun_cookies:set_cookie_header/7 uses this unvalidated authority to set cookies before any status checks or user code intervention. This allows a malicious HTTP/2 server to plant cookies for arbitrary domains in the client's shared cookie store, violating HTTP/2 protocol requirements and enabling session fixation and potential account takeover attacks. The flaw affects gun versions starting at 2.0.0 up to but not including 2.4.0.

An attacker controlling or compromising an HTTP/2 server can exploit this vulnerability to inject cookies scoped to arbitrary third-party domains into a client's cookie store. This can lead to session fixation attacks against those domains and may result in account takeover if the injected cookie overrides a legitimate session token. No user interaction beyond a normal HTTP/2 request to the malicious server is required. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, no user interaction, and limited impact on confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch link is provided in the available data. Until a patch is released, users should avoid making HTTP/2 requests to untrusted or potentially compromised servers using affected gun versions (2.0.0 before 2.4.0). Monitor vendor communications for updates and apply official fixes once available.