CVE-2026-34715
Received Received - Intake
HTTP Response Splitting in ewe Web Server encode_headers Function

Publication date: 2026-04-02

Last updated on: 2026-04-10

Assigner: GitHub, Inc.

Description
ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser β€” but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34715
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vshakitskiy ewe to 3.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing attackers to perform HTTP response splitting attacks, which can lead to cache poisoning and cross-site scripting (XSS).

  • HTTP response splitting enables attackers to inject arbitrary headers or responses, potentially manipulating how your web server communicates with clients.
  • Cache poisoning can cause clients or intermediary caches to store malicious or incorrect content, affecting data integrity and user experience.
  • Cross-site scripting (XSS) attacks can be facilitated by injecting malicious scripts into HTTP responses, potentially compromising user data or session security.

Overall, the vulnerability can undermine the integrity of HTTP responses and expose users to security risks without requiring any privileges or user interaction.

Executive Summary

CVE-2026-34715 is a vulnerability in the Gleam web server 'ewe' versions prior to 3.0.6. The issue arises because the encode_headers function directly inserts HTTP response header keys and values into raw HTTP bytes without checking or removing CRLF (Carriage Return Line Feed) sequences. This lack of validation allows an attacker to inject malicious HTTP response content by including CRLF sequences in user-controlled data passed into response headers.

Specifically, this vulnerability enables HTTP response splitting, cache poisoning, and potential cross-site scripting (XSS) attacks. While incoming HTTP request headers are properly validated to reject CRLF sequences, outgoing response headers lack this protection, making it possible for attackers to manipulate HTTP responses by injecting additional headers or even a second HTTP response.

The vulnerability has been fixed in version 3.0.6 by sanitizing and validating header keys and values to strip out CR and LF characters before encoding.

Detection Guidance

This vulnerability can be detected by monitoring HTTP responses for injected CRLF sequences that lead to response splitting or additional headers being inserted unexpectedly.

One practical approach is to craft HTTP requests that include CRLF-encoded characters in parameters reflected in response headers (e.g., the Location header) and observe if additional headers or response content are injected.

For example, using curl to test a vulnerable server might look like this:

  • curl -v "http://targetserver/path?next=%0d%0aX-Injected:%20true"

If the response headers include the injected header (e.g., X-Injected: true), the server is vulnerable.

Additionally, network monitoring tools or intrusion detection systems can be configured to detect suspicious CRLF sequences in HTTP response headers.

Mitigation Strategies

The immediate mitigation is to upgrade the ewe web server to version 3.0.6 or later, where the vulnerability has been patched.

The patch sanitizes and validates all outgoing HTTP response header keys and values by stripping or rejecting CR and LF characters before encoding, preventing header injection and response splitting.

If upgrading immediately is not possible, ensure that your application does not reflect user-controlled input directly into HTTP response headers without proper sanitization.

Implement input validation or encoding on any user-supplied data used in response headers to remove or encode CRLF sequences.

Compliance Impact

CVE-2026-34715 involves improper sanitization of CRLF sequences in HTTP response headers, which can lead to HTTP response splitting, cache poisoning, and potential cross-site scripting (XSS) attacks.

Such vulnerabilities can undermine the integrity and security of web applications by allowing attackers to manipulate HTTP responses, potentially exposing users to malicious content or unauthorized data manipulation.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the presence of injection and XSS vulnerabilities can negatively impact compliance by risking unauthorized data exposure or manipulation, which these regulations aim to prevent.

Therefore, failure to address this vulnerability could lead to non-compliance with security requirements in these regulations that mandate protection of data integrity and confidentiality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34715. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart