Home

Description

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting. This issue affects cowlib from 2.9.0.

PUBLISHED Reserved 2026-05-04 | Published 2026-06-08 | Updated 2026-06-09 | Assigner EEF




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Problem types

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Product status

Default status
unaffected

2.9.0 (semver)
affected

Default status
unaffected

a8b793db3d6ffe91d62f81baf41b1dab4cd78fb6 (git)
affected

Credits

Peter Ullrich finder

Loïc Hoguin remediation developer

References

cna.erlef.org/cves/CVE-2026-43966.html related third-party-advisory

osv.dev/vulnerability/EEF-CVE-2026-43966 related

github.com/...ommit/f77cb9b5e730e300fffb551db1ba5d1c4ed878ef mitigation

github.com/...ommit/4f35609eb37109b106a863fc9ba83d7ee64e3e42 mitigation

cve.org (CVE-2026-43966)

nvd.nist.gov (CVE-2026-43966)

Download JSON