Executive Summary

CVE-2026-43966 is a vulnerability in the cowlib library used in the Erlang ecosystem, specifically affecting versions 2.9.0 and later. It involves HTTP response splitting caused by improper neutralization of CRLF (Carriage Return and Line Feed) sequences in HTTP headers.

The root cause is that the function cow_http_struct_hd:escape_string/2 only escapes backslashes and double quotes, allowing other bytes including CR and LF to pass through unchanged. This creates an asymmetry where the parser accepts only printable ASCII characters, but the encoder can emit any byte including CR and LF.

An attacker can exploit this by injecting \r\n sequences into structured HTTP header values constructed from untrusted input. When these headers are serialized and sent, the injected CRLF sequences terminate the current header, causing subsequent bytes to be interpreted as new headers, enabling HTTP response splitting.

Applications using cow_http_struct_hd:item/1 or higher-level wrappers like cow_http_hd:wt_protocol/1 are vulnerable if they process attacker-controlled data.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows HTTP response splitting via injection of CRLF sequences in HTTP headers, which can lead to security issues such as header injection and potentially unauthorized data exposure or manipulation.

Such security weaknesses could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and confidentiality, as well as secure handling of user data and communications.

If exploited, this vulnerability might enable attackers to manipulate HTTP responses, potentially leading to information disclosure or session hijacking, which would be violations of these regulations' security requirements.

Mitigations such as input validation and rejecting headers containing CR or LF bytes are necessary to maintain compliance and reduce risk.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to perform HTTP response splitting attacks by injecting CRLF sequences into HTTP headers. This can lead to several security issues such as cache poisoning, cross-site scripting (XSS), web page content manipulation, and session fixation.

Both server-side and client-side applications using the affected cowlib versions are vulnerable if they accept attacker-controlled input in HTTP headers without proper validation.

Mitigations include using updated versions of Cowboy (2.16.0 and later) and Gun (2.4.0 and later) which provide options to reject or raise exceptions on headers containing CR or LF characters, or validating and rejecting any input containing such characters before building HTTP headers.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves HTTP response splitting via injection of CRLF sequences in HTTP headers. To detect it on your network or system, you can monitor HTTP traffic for suspicious header values containing carriage return (CR) and line feed (LF) characters that are not properly escaped.

You can use network packet capture tools like tcpdump or Wireshark to filter and inspect HTTP headers for CR or LF characters within header values.

• Use tcpdump to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 443'
• Use grep or similar tools to search for CR (\r) or LF (\n) characters in captured HTTP headers.
• Inspect application logs or enable debugging to check if any HTTP headers contain unescaped CR or LF characters.

Additionally, on the application side, enabling validation options such as Cowboy's `invalid_response_headers` or Gun's `invalid_request_headers` can help detect and reject headers containing CR or LF bytes.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include enabling built-in validation options in the affected libraries to reject HTTP headers containing CR or LF characters.

• For server-side applications using Cowboy (version 2.16.0 and later), enable the `invalid_response_headers` option, which rejects or terminates responses with invalid headers.
• For client-side applications using Gun (version 2.4.0 and later), enable the `invalid_request_headers` option, which raises exceptions when invalid headers are detected.
• Validate and sanitize all input values before passing them to structured HTTP header builders to ensure they do not contain CR or LF bytes.

If upgrading or enabling these options is not immediately possible, implement input validation at the application level to reject or escape CR and LF characters in HTTP header values.

Useful 0 Not Useful 0