HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2
Summary
| CVE | CVE-2026-43966 |
|---|---|
| State | PUBLISHED |
| Assigner | EEF |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-08 17:16:43 UTC |
| Updated | 2026-06-08 17:16:43 UTC |
| Description | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting. This issue affects cowlib from 2.9.0. |
Risk And Classification
Primary CVSS: v4.0 6.3 MEDIUM from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000620000 probability, percentile 0.197950000 (date 2026-06-14)
Problem Types: CWE-113 | CWE-113 CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | Secondary | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/ninenines/gun/commit/4f35609eb37109b106a863fc9ba83d7ee64e3e42 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| cna.erlef.org/cves/CVE-2026-43966.html | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | cna.erlef.org | |
| osv.dev/vulnerability/EEF-CVE-2026-43966 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | osv.dev | |
| github.com/ninenines/cowboy/commit/f77cb9b5e730e300fffb551db1ba5d1c4ed878ef | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Peter Ullrich (en)
CNA: Loïc Hoguin (en)
Additional Advisory Data
Workarounds
CNA: Validate all values passed into structured-fields header builders (directly via cow_http_struct_hd:item/1 or indirectly via higher-level wrappers) before calling the encoder. Reject any value that is not from a trusted, application-controlled source or that contains CR (\r) or LF (\n) bytes. Applications using cowboy 2.16.0 or later are protected on the server side by the invalid_response_headers option (defaults to error_terminate), which rejects any outgoing response header value containing CR or LF before it reaches the wire. Applications using gun 2.4.0 or later are protected on the client side by the invalid_request_headers request option (defaults to raise), which raises an exception when an outgoing request header value contains CR or LF.