Description
CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
Published: 2026-06-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CrowCpp Crow through version 1.3.1 is vulnerable because it does not validate values written into HTTP response headers. An attacker can send specially crafted requests that cause the framework to insert unvalidated header values into the response. This allows manipulation of the HTTP response header fields, potentially changing how clients interpret the response.

Affected Systems

All deployments of CrowCpp Crow that use version 1.3.1 or earlier are affected. No vendor‐specific information has been disclosed, so any application that incorporates this library may be vulnerable.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity. The EPSS score is < 1%, suggesting a very low probability that this vulnerability will be actively exploited. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is sending specially crafted HTTP requests with unvalidated header values to an application using CrowCpp Crow, requiring that the attacker can influence header content. The risk depends on the exposure of Crow-based applications and whether user input can affect header values.

Generated by OpenCVE AI on June 3, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CrowCpp Crow to the latest release that includes the response header validation fix.
  • If upgrading is not feasible, apply the patch from pull request #1167 by replacing the affected code with the patched version.
  • Implement input validation on any header values generated by your application to reject CR, LF, or non-ASCII characters before they are written to the response.
  • Deploy a web application firewall or equivalent that blocks responses containing malformed or unexpected header lines.

Generated by OpenCVE AI on June 3, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Response Header Injection in CrowCpp Crow via Unvalidated Header Values

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title CrowCpp Crow v1.3.1 Response Header Injection Vulnerability
Weaknesses CWE-20

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Title CrowCpp Crow v1.3.1 Response Header Injection Vulnerability
Weaknesses CWE-113
CWE-20

Wed, 03 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Crowcpp
Crowcpp crow
Vendors & Products Crowcpp
Crowcpp crow

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
References

Subscriptions

Crowcpp Crow
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T16:06:06.706Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38967

cve-icon Vulnrichment

Updated: 2026-06-03T16:04:59.095Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T20:16:35.487

Modified: 2026-06-04T16:26:20.550

Link: CVE-2026-38967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T19:30:36Z

Weaknesses
  • CWE-113

    Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')