CVE-2026-43966

HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-113 — CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CAPEC

• CAPEC-34 — CAPEC-34 HTTP Response Splitting

CVSS 4.0 Score

6.3

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Vulnerability description

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.

cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.

This issue affects cowlib from 2.9.0.

Affected

pkg:hex/cowlib

Module	Source File	Routine
cow_http_struct_hd	src/cow_http_struct_hd.erl	cow_http_struct_hd:escape_string/2
		cow_http_struct_hd:bare_item/1

Status	Type	Version
affected	semver ⓘ	2.9.0

pkg:github/ninenines/cowlib

Module	Source File	Routine
cow_http_struct_hd	src/cow_http_struct_hd.erl	cow_http_struct_hd:escape_string/2
		cow_http_struct_hd:bare_item/1

Status	Type	Version
affected	git ⓘ	a8b793db3d

Configurations

The application must pass attacker-controlled data as a string value into cow_http_struct_hd:item/1 (or a wrapper that delegates to it). Applications that construct structured-fields header values exclusively from trusted, application-controlled values are not affected.

Workarounds

Validate all values passed into structured-fields header builders (directly via cow_http_struct_hd:item/1 or indirectly via higher-level wrappers) before calling the encoder. Reject any value that is not from a trusted, application-controlled source or that contains CR (\r) or LF (\n) bytes.

Applications using cowboy 2.16.0 or later are protected on the server side by the invalid_response_headers option (defaults to error_terminate), which rejects any outgoing response header value containing CR or LF before it reaches the wire. Applications using gun 2.4.0 or later are protected on the client side by the invalid_request_headers request option (defaults to raise), which raises an exception when an outgoing request header value contains CR or LF.

References

• https://osv.dev/vulnerability/EEF-CVE-2026-43966 related
• https://github.com/ninenines/cowboy/commit/f77cb9b5e730e300fffb551db1ba5d1c4ed878ef mitigation
• https://github.com/ninenines/gun/commit/4f35609eb37109b106a863fc9ba83d7ee64e3e42 mitigation

Credits

• Finder: Peter Ullrich
• Remediation developer: Loïc Hoguin

CVE record as JSON:  GET /cves/CVE-2026-43966.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-43966.json