Description
ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTTP response splitting enabling XSS or cache poisoning
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises in the web server’s header encoding routine, where header keys and values are inserted into the raw HTTP response without sanitizing carriage‑return or line‑feed characters. An attacker who can supply arbitrary values for response headers—such as by manipulating a Location header from a user input—can insert CRLF sequences. This results in an HTTP response split, allowing the injection of additional HTTP headers or arbitrary response body content. The injected content may be used for cross‑site scripting or to poison caching proxies. The weakness is a classic response‑splitting flaw. The impact is the potential to exfiltrate data, alter page content seen by users, or redirect clients to malicious sites.

Affected Systems

The affected product is the "ewe" web server, maintained by vshakitskiy. All releases prior to version 3.0.6 are vulnerable. Versions 3.0.6 and later include a patch that validates and strips CRLF sequences from outgoing headers.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is remote exploitation via normal HTTP traffic to the server. The exploit requires an attacker to control header values, something feasible when an application propagates user‑controlled data into response headers without sanitization.

Generated by OpenCVE AI on April 10, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of ewe (v3.0.6 or newer) to ensure the header sanitization is enabled.

Generated by OpenCVE AI on April 10, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x2w3-23jr-hrpf ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)
History

Fri, 10 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Vshakitskiy
Vshakitskiy ewe
Vendors & Products Vshakitskiy
Vshakitskiy ewe

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.
Title ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)
Weaknesses CWE-113
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Vshakitskiy Ewe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:00:41.121Z

Reserved: 2026-03-30T18:41:20.752Z

Link: CVE-2026-34715

cve-icon Vulnrichment

Updated: 2026-04-03T16:00:36.543Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:32.910

Modified: 2026-04-10T16:01:12.507

Link: CVE-2026-34715

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:03Z

Weaknesses