CVE-2026-43969
Analyzed Analyzed - Analysis Complete
CRLF Injection in cowlib

Publication date: 2026-05-11

Last updated on: 2026-05-21

Assigner: EEF

Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check. This issue affects cowlib from 2.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-21
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-43969
EUVD
EUVD-2026-29193
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ninenines cowlib From 2.9.0 (inc) to 2.16.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43969 is a vulnerability in the cow_cookie:cookie/1 function of the cowlib library that allows CRLF (Carriage Return Line Feed) injection via unvalidated cookie name and value fields.

The vulnerability occurs because the encoder builds a client-side Cookie header from name-value pairs without validating these fields, allowing an attacker to inject special characters such as semicolons, commas, carriage returns, line feeds, or tabs.

This enables two types of attacks: cookie smuggling (injecting phantom cookies that the server treats as authentic) and HTTP request header splitting (injecting CRLF sequences to append arbitrary headers or smuggle a second request).

While the decoder and setcookie/3 functions already validate and reject these characters, the encoder was missing this check, leading to the vulnerability.

Impact Analysis

This vulnerability can allow attackers to manipulate HTTP headers by injecting malicious characters into cookie names or values.

  • Cookie smuggling: attackers can inject phantom cookies that the receiving server treats as authentic, potentially bypassing security controls or altering session behavior.
  • HTTP request header splitting: attackers can inject CRLF sequences to append arbitrary headers or smuggle a complete second HTTP request, which can be used to bypass security mechanisms or perform further attacks on shared upstream proxies.
Detection Guidance

This vulnerability involves CRLF injection via unvalidated cookie name and value fields in HTTP request headers. To detect it on your network or system, you can monitor HTTP traffic for suspicious cookie headers containing unexpected characters such as semicolons (;), commas (,), carriage returns (CR), line feeds (LF), or tabs (TAB) that could indicate injection attempts.

You can use network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests and inspect the Cookie headers for unusual or malformed values.

  • Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Use grep or similar tools to search server logs for Cookie headers containing CR, LF, or control characters, e.g., grep -P '\r|\n|\t|;|,' access.log

Additionally, review application logs or add instrumentation to log cookie names and values before they are passed to the vulnerable cow_cookie:cookie/1 function to detect injection attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, you should apply the patch released for cowlib that adds input validation to prevent injection of CRLF and other control characters in cookie names and values.

The patch modifies the cow_cookie.erl file to validate and reject characters such as commas, semicolons, tabs, carriage returns, and line feeds in cookie-related fields.

If patching immediately is not possible, implement input validation in your application to ensure cookie names and values conform to valid characters as defined in RFC 6265 Section 4.1.1 before passing them to cow_cookie:cookie/1.

Also, monitor and sanitize any user-controlled input that may influence cookie names or values to prevent injection of malicious characters.

Compliance Impact

The vulnerability allows attackers to perform HTTP request splitting and cookie smuggling by injecting malicious characters into cookie names and values. This can lead to unauthorized manipulation of cookies and HTTP headers, potentially compromising the integrity and confidentiality of user sessions and data.

Such unauthorized access or manipulation of cookies and HTTP headers can increase the risk of data breaches or unauthorized data exposure, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

However, the provided information does not explicitly describe the direct impact of this vulnerability on compliance with these standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43969. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart