CVE-2026-43973: CWE-770 Allocation of Resources Without Limits or Throttling in ninenines gun
CVE-2026-43973 is a high-severity vulnerability in the ninenines gun HTTP client library (gun_http module) versions before 2. 4. 0. It allows a malicious server to cause uncontrolled memory consumption on the client by sending an incomplete HTTP/1. 1 response that never completes header or body terminators. This leads to unbounded buffering of incoming data in the client process, potentially exhausting all available memory and causing a node-wide crash. The vulnerability arises from lack of upper-bound checks on buffer size during response parsing. No official patch or remediation level is currently confirmed.
AI Analysis
Technical Summary
The vulnerability in ninenines gun (gun_http module) involves uncontrolled resource consumption due to unbounded HTTP/1.1 response buffering. Specifically, in the gun_http:handle/5 function, incoming TCP data is appended to a buffer without any upper limit until expected HTTP terminators (header or body chunk boundaries) are found. If a malicious server sends a partial response that never completes these terminators, the buffer grows indefinitely. Because the BEAM virtual machine does not impose per-process heap limits by default, this can cause the client process to consume all available memory, resulting in a node-wide out-of-memory crash. This affects gun versions from 1.0.0 up to but not including 2.4.0.
Potential Impact
A malicious or compromised server can exploit this vulnerability by sending a crafted HTTP response that never completes, causing the client to allocate memory without limits. This can lead to exhaustion of all available memory on the node running the gun client, resulting in a denial-of-service condition via a node-wide crash. There is no indication of privilege escalation or data disclosure from the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider limiting exposure to untrusted servers or implementing external resource limits on the BEAM processes running gun clients to mitigate potential memory exhaustion. Monitor vendor channels for updates regarding patches or official mitigations.
CVE-2026-43973: CWE-770 Allocation of Resources Without Limits or Throttling in ninenines gun
Description
CVE-2026-43973 is a high-severity vulnerability in the ninenines gun HTTP client library (gun_http module) versions before 2. 4. 0. It allows a malicious server to cause uncontrolled memory consumption on the client by sending an incomplete HTTP/1. 1 response that never completes header or body terminators. This leads to unbounded buffering of incoming data in the client process, potentially exhausting all available memory and causing a node-wide crash. The vulnerability arises from lack of upper-bound checks on buffer size during response parsing. No official patch or remediation level is currently confirmed.
CVSS v4.0
Score 8.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in ninenines gun (gun_http module) involves uncontrolled resource consumption due to unbounded HTTP/1.1 response buffering. Specifically, in the gun_http:handle/5 function, incoming TCP data is appended to a buffer without any upper limit until expected HTTP terminators (header or body chunk boundaries) are found. If a malicious server sends a partial response that never completes these terminators, the buffer grows indefinitely. Because the BEAM virtual machine does not impose per-process heap limits by default, this can cause the client process to consume all available memory, resulting in a node-wide out-of-memory crash. This affects gun versions from 1.0.0 up to but not including 2.4.0.
Potential Impact
A malicious or compromised server can exploit this vulnerability by sending a crafted HTTP response that never completes, causing the client to allocate memory without limits. This can lead to exhaustion of all available memory on the node running the gun client, resulting in a denial-of-service condition via a node-wide crash. There is no indication of privilege escalation or data disclosure from the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider limiting exposure to untrusted servers or implementing external resource limits on the BEAM processes running gun clients to mitigate potential memory exhaustion. Monitor vendor channels for updates regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-04T18:23:25.574Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a26d2d1e29bf47b50f21657
Added to database: 6/8/2026, 2:33:53 PM
Last enriched: 6/8/2026, 2:48:58 PM
Last updated: 6/8/2026, 4:01:42 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.