CVE-2026-34715
HTTP Response Splitting in ewe Web Server encode_headers Function
Publication date: 2026-04-02
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vshakitskiy | ewe | to 3.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform HTTP response splitting attacks, which can lead to cache poisoning and cross-site scripting (XSS).
- HTTP response splitting enables attackers to inject arbitrary headers or responses, potentially manipulating how your web server communicates with clients.
- Cache poisoning can cause clients or intermediary caches to store malicious or incorrect content, affecting data integrity and user experience.
- Cross-site scripting (XSS) attacks can be facilitated by injecting malicious scripts into HTTP responses, potentially compromising user data or session security.
Overall, the vulnerability can undermine the integrity of HTTP responses and expose users to security risks without requiring any privileges or user interaction.
Can you explain this vulnerability to me?
CVE-2026-34715 is a vulnerability in the Gleam web server 'ewe' versions prior to 3.0.6. The issue arises because the encode_headers function directly inserts HTTP response header keys and values into raw HTTP bytes without checking or removing CRLF (Carriage Return Line Feed) sequences. This lack of validation allows an attacker to inject malicious HTTP response content by including CRLF sequences in user-controlled data passed into response headers.
Specifically, this vulnerability enables HTTP response splitting, cache poisoning, and potential cross-site scripting (XSS) attacks. While incoming HTTP request headers are properly validated to reject CRLF sequences, outgoing response headers lack this protection, making it possible for attackers to manipulate HTTP responses by injecting additional headers or even a second HTTP response.
The vulnerability has been fixed in version 3.0.6 by sanitizing and validating header keys and values to strip out CR and LF characters before encoding.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP responses for injected CRLF sequences that lead to response splitting or additional headers being inserted unexpectedly.
One practical approach is to craft HTTP requests that include CRLF-encoded characters in parameters reflected in response headers (e.g., the Location header) and observe if additional headers or response content are injected.
For example, using curl to test a vulnerable server might look like this:
- curl -v "http://targetserver/path?next=%0d%0aX-Injected:%20true"
If the response headers include the injected header (e.g., X-Injected: true), the server is vulnerable.
Additionally, network monitoring tools or intrusion detection systems can be configured to detect suspicious CRLF sequences in HTTP response headers.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade the ewe web server to version 3.0.6 or later, where the vulnerability has been patched.
The patch sanitizes and validates all outgoing HTTP response header keys and values by stripping or rejecting CR and LF characters before encoding, preventing header injection and response splitting.
If upgrading immediately is not possible, ensure that your application does not reflect user-controlled input directly into HTTP response headers without proper sanitization.
Implement input validation or encoding on any user-supplied data used in response headers to remove or encode CRLF sequences.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34715 involves improper sanitization of CRLF sequences in HTTP response headers, which can lead to HTTP response splitting, cache poisoning, and potential cross-site scripting (XSS) attacks.
Such vulnerabilities can undermine the integrity and security of web applications by allowing attackers to manipulate HTTP responses, potentially exposing users to malicious content or unauthorized data manipulation.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the presence of injection and XSS vulnerabilities can negatively impact compliance by risking unauthorized data exposure or manipulation, which these regulations aim to prevent.
Therefore, failure to address this vulnerability could lead to non-compliance with security requirements in these regulations that mandate protection of data integrity and confidentiality.