ewe Web Server Infinite Loop Vulnerability in Trailer Handling

A denial-of-service vulnerability has been identified in the Gleam web server 'ewe', specifically in versions 0.8.0 prior to 3.0.5. The issue arises in the 'handle_trailers' function, where rejected trailer headers cause an infinite loop. Instead of advancing past the rejected header, the function recurses with the original buffer, leading to repeated parsing of the same header. This loop consumes 100% CPU without any timeout, causing the BEAM process to become unresponsive. The vulnerability can be exploited by any unauthenticated remote client before control returns to the application, making it impossible to apply a workaround at the application level.

Impact

The vulnerability creates an infinite loop in the 'handle_trailers' function, causing the server to become unresponsive and consume 100% of the CPU. This effectively denies service to users, as the server cannot process other requests while handling the malicious one. The issue can be exacerbated by sending multiple concurrent requests, further exhausting server resources.

Reproduction

To reproduce the vulnerability, send a chunked HTTP request with a forbidden trailer header (such as 'host') to a server running 'ewe' version 0.8.0 through 3.0.4. The server will hang indefinitely, with the process stuck at 100% CPU usage. This can be done using a command-line tool like 'nc' (netcat) to send the crafted request. Once the request is sent, the server-side handler process will be permanently stuck, with no response sent back to the client.

Remediation

Users can upgrade to 'ewe' version 3.0.5 or later, where this vulnerability has been fixed.