CVE-2026-43969
CRLF Injection in cowlib
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| erlef | cowlib | 2.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform HTTP request splitting and cookie smuggling by injecting malicious characters into cookie names and values. This can lead to unauthorized manipulation of cookies and HTTP headers, potentially compromising the integrity and confidentiality of user sessions and data.
Such unauthorized access or manipulation of cookies and HTTP headers can increase the risk of data breaches or unauthorized data exposure, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
However, the provided information does not explicitly describe the direct impact of this vulnerability on compliance with these standards or regulations.
Can you explain this vulnerability to me?
CVE-2026-43969 is a vulnerability in the cow_cookie:cookie/1 function of the cowlib library that allows CRLF (Carriage Return Line Feed) injection via unvalidated cookie name and value fields.
The vulnerability occurs because the encoder builds a client-side Cookie header from name-value pairs without validating these fields, allowing an attacker to inject special characters such as semicolons, commas, carriage returns, line feeds, or tabs.
This enables two types of attacks: cookie smuggling (injecting phantom cookies that the server treats as authentic) and HTTP request header splitting (injecting CRLF sequences to append arbitrary headers or smuggle a second request).
While the decoder and setcookie/3 functions already validate and reject these characters, the encoder was missing this check, leading to the vulnerability.
How can this vulnerability impact me? :
This vulnerability can allow attackers to manipulate HTTP headers by injecting malicious characters into cookie names or values.
- Cookie smuggling: attackers can inject phantom cookies that the receiving server treats as authentic, potentially bypassing security controls or altering session behavior.
- HTTP request header splitting: attackers can inject CRLF sequences to append arbitrary headers or smuggle a complete second HTTP request, which can be used to bypass security mechanisms or perform further attacks on shared upstream proxies.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves CRLF injection via unvalidated cookie name and value fields in HTTP request headers. To detect it on your network or system, you can monitor HTTP traffic for suspicious cookie headers containing unexpected characters such as semicolons (;), commas (,), carriage returns (CR), line feeds (LF), or tabs (TAB) that could indicate injection attempts.
You can use network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests and inspect the Cookie headers for unusual or malformed values.
- Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- Use grep or similar tools to search server logs for Cookie headers containing CR, LF, or control characters, e.g., grep -P '\r|\n|\t|;|,' access.log
Additionally, review application logs or add instrumentation to log cookie names and values before they are passed to the vulnerable cow_cookie:cookie/1 function to detect injection attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should apply the patch released for cowlib that adds input validation to prevent injection of CRLF and other control characters in cookie names and values.
The patch modifies the cow_cookie.erl file to validate and reject characters such as commas, semicolons, tabs, carriage returns, and line feeds in cookie-related fields.
If patching immediately is not possible, implement input validation in your application to ensure cookie names and values conform to valid characters as defined in RFC 6265 Section 4.1.1 before passing them to cow_cookie:cookie/1.
Also, monitor and sanitize any user-controlled input that may influence cookie names or values to prevent injection of malicious characters.