The vulnerability exists in the gun_http:handle_inform/8 function, which upon receiving a 101 Switching Protocols response over HTTP/1.1, only checks the syntactic validity of the Upgrade header and that the stream reference is plain, but does not verify if the client sent an Upgrade or Connection: upgrade header in the request. Consequently, any unsolicited 101 response causes gun to dispatch a gun_upgrade message and switch the connection to raw protocol mode. In raw mode, gun_raw disables flow control and re-arms socket active mode after every packet, allowing a malicious server to flood the client with arbitrary data. This data is forwarded as unbounded gun_data messages to the owner process, leading to mailbox and memory exhaustion and crashing the BEAM VM. The issue affects gun versions from 2.0.0 up to but not including 2.4.0.

A malicious or compromised HTTP server can exploit this vulnerability by sending unsolicited 101 Switching Protocols responses to any HTTP/1.1 request, causing the gun client to abandon HTTP framing and enter raw protocol mode. This results in unbounded data flooding to the client process, exhausting its mailbox and BEAM memory, and ultimately causing a denial of service through VM crash. The impact is high due to the potential for complete service disruption of applications relying on the gun HTTP client.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch link is provided in the available data. Until a patch is available, users should consider avoiding untrusted HTTP servers or implementing additional network-level protections to detect and block unsolicited 101 Switching Protocols responses. Monitor vendor communications for updates on remediation.