ninenines gun Origin Validation Error Vulnerability in HTTP/2 Module Allows Cross-Origin Cookie Injection

An origin validation error vulnerability has been identified in the ninenines gun HTTP/2 module, specifically in versions 2.0.0 prior to 2.4.0. This vulnerability allows cross-origin cookie injection through unvalidated HTTP/2 PUSH_PROMISE authority. The issue arises because the :authority pseudo-header from incoming PUSH_PROMISE frames is stored without validation, enabling malicious HTTP/2 servers to inject cookies into the client's shared cookie store. This could lead to session fixation attacks and potentially allow attackers to take over user accounts.

Impact

Exploitation of this vulnerability allows for cross-origin cookie injection, which can be used to perform session fixation attacks. If the injected cookie replaces a legitimate session token, it may result in account takeover.

Reproduction

To reproduce this vulnerability, use a version of ninenines gun that is between 2.0.0 and 2.4.0. Ensure that the gun library is configured to use a cookie store and that it connects to an HTTP/2 server with server push enabled. When the server sends a PUSH_PROMISE frame, it can include an authority that does not match the original request's origin. The gun library will accept this unvalidated authority and use it to set cookies, which can then be exploited for session fixation attacks.

Remediation

Users can upgrade to gun version 2.4.0 or later, where this vulnerability has been fixed.