{"affected":[{"package":{"ecosystem":"Hex","name":"cowlib","purl":"pkg:hex/cowlib"},"ranges":[{"events":[{"introduced":"2.9.0"}],"type":"SEMVER"}],"versions":["2.9.0","2.9.1","2.10.0","2.10.1","2.11.0","2.12.0","2.12.1","2.13.0","2.14.0","2.15.0","2.16.0"]},{"ranges":[{"events":[{"introduced":"f017f8a0ecbffd5033d9ab49bf180186f7a523a7"}],"repo":"https://github.com/ninenines/cowlib","type":"GIT"}]}],"aliases":["CVE-2026-43969"],"credits":[{"name":"Peter Ullrich","type":"FINDER"}],"database_specific":{"capec_ids":["CAPEC-105"],"cpe_ids":["cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-93"]},"details":"## Summary\n\nImproper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.\n\ncow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting \"; admin=1\" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.\n\nThis issue affects cowlib from 2.9.0.\n\n## Workaround\n\nValidate inputs into cow_cookie:cookie/1 to only include valid cookie name and value characters as defined in RFC 6265 Section 4.1.1 before passing them to the function.\n\n## Configuration\n\nThe application must pass attacker-controlled bytes as cookie names or values to cow_cookie:cookie/1. Applications that construct cookie lists exclusively from trusted, application-controlled values are not affected.","id":"EEF-CVE-2026-43969","modified":"2026-05-11T18:24:59.802Z","published":"2026-05-11T18:06:40.667Z","references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-43969.html"},{"type":"FIX","url":"https://github.com/erlef/cowlib/commit/177953dd51540da11090666c1f007214127a1144"},{"type":"PACKAGE","url":"https://hex.pm/packages/cowlib"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N","type":"CVSS_V4"}],"summary":"Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1","upstream":[]}