CVE Catalog

CVE-2026-43966

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.05%

15th percentile - higher than 15% of all known CVEs

Summary

CVE-2026-43966 describes an improper neutralization of CRLF sequences in HTTP headers in the cowlib library, allowing HTTP response splitting through the injection of non-VCHAR bytes in structured field values.

Risk Assessment

An attacker can inject CRLF sequences into HTTP headers, potentially taking control of the server's response and enabling attacks such as phishing or redirection.

Recommendation

It is recommended to update the cowlib library to the latest version to mitigate this vulnerability and to validate and sanitize input data before using it in HTTP headers.

Original NVD description (English source)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting. This issue affects cowlib from 2.9.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS