Description
ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Response Splitting and XSS via CRLF Injection
Action: Patch Now
AI Analysis

Impact

The flaw lies in the encode_headers function of the web server, which inserts header keys and values directly into the HTTP bytes without removing CRLF ( \n) sequences. Because of this, an attacker who can supply arbitrary data to a response header—such as setting a Location redirect header from a request parameter—can inject extra CRLFs. This allows the attacker to break the intended response structure and inject additional HTTP content, leading to HTTP response splitting, cache poisoning, and, depending on the context, cross‑site scripting. The weakness corresponds to the Common Weakness Enumeration item CWE‑113: Improper Neutralization of CRLF Sequences.

Affected Systems

The vulnerability affects the web server software named ewe, developed by vshakitskiy. All releases prior to version 3.0.6 are susceptible because they use the unguarded encoder function. The patch that fixes the issue is included in the 3.0.6 release.

Risk and Exploitability

The Common Vulnerability Scoring System assigns a score of 5.3, indicating a moderate severity. The Exploit Prediction Scoring System score is not available, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The likely attack vector is remote, requiring the ability to send specially crafted HTTP requests to the vulnerable server. No privileged access is needed; an attacker can simply send a request containing a header value with CRLF characters to trigger the vulnerability. Once exploited, the attacker can interfere with client browsers, manipulate cache entries, or embed malicious scripts, depending on the header context.

Generated by OpenCVE AI on April 2, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to upgrade ewe to version 3.0.6 or later
  • If an immediate upgrade is not feasible, modify the application logic so that any user input passed to response headers is sanitized or rejected before being encoded
  • Implement a custom header validator that removes or rejects CRLF sequences in outgoing headers
  • Continuously monitor server logs for unexpected header patterns or repeated attempts to inject CRLF characters
  • If a workaround cannot prevent header injection, consider temporarily disabling features that allow user‑controlled header values until the patch is applied

Generated by OpenCVE AI on April 2, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x2w3-23jr-hrpf ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)
History

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Vshakitskiy
Vshakitskiy ewe
Vendors & Products Vshakitskiy
Vshakitskiy ewe

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.
Title ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)
Weaknesses CWE-113
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Vshakitskiy Ewe
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:00:41.121Z

Reserved: 2026-03-30T18:41:20.752Z

Link: CVE-2026-34715

cve-icon Vulnrichment

Updated: 2026-04-03T16:00:36.543Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T18:16:32.910

Modified: 2026-04-03T16:16:40.737

Link: CVE-2026-34715

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:17:08Z

Weaknesses