{"id":"CVE-2026-43972","summary":"gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection","details":"Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority.\n\nIn gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.\n\nA malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.\n\nThis issue affects gun: from 2.0.0 before 2.4.0.","aliases":["EEF-CVE-2026-43972"],"modified":"2026-06-18T03:55:04.270771376Z","published":"2026-06-08T14:12:38.780Z","database_specific":{"cna_assigner":"EEF","cwe_ids":["CWE-346"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43972.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"871989eef53663285c165fdfb83a5918ebe00d41"},{"fixed":"567863ff53802fed21c3b3f25812db7f7ae29676"}]}]},"references":[{"type":"WEB","url":"https://github.com"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-43972"},{"type":"ADVISORY","url":"https://cna.erlef.org/cves/CVE-2026-43972.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43972.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43972"},{"type":"FIX","url":"https://github.com/ninenines/gun/commit/567863ff53802fed21c3b3f25812db7f7ae29676"},{"type":"PACKAGE","url":"https://github.com/ninenines/gun"},{"type":"PACKAGE","url":"https://github.com/ninenines/gun.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ninenines/gun","events":[{"introduced":"33223e751267c5f249f3db1277c13904a1801b92"},{"fixed":"8cc70ed78fc946e5d9c49e92d84bde64ca12db1f"},{"fixed":"567863ff53802fed21c3b3f25812db7f7ae29676"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"2.0.0"},{"fixed":"2.4.0"}]}}],"versions":["2.3.0","2.2.0","2.1.0","2.0.1","2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43972.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"}]}