Description
CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
Published: 2026-06-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CrowCpp Crow through version 1.3.1 is vulnerable to response header injection because the framework does not validate values written into HTTP response headers. Based on the description, it is inferred that an attacker can inject arbitrary header values by sending specially crafted HTTP requests, which could enable the modification or hijacking of HTTP responses and potentially lead to information disclosure, impersonation, or injection of malicious content.

Affected Systems

All deployments of CrowCpp Crow that use version 1.3.1 or earlier are affected. No vendor‑specific information has been disclosed, so any application that incorporates this library may be vulnerable.

Risk and Exploitability

The CVSS score is not published and the EPSS score is unavailable; the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is sending HTTP requests with unvalidated header values to an application that uses CrowCpp. The risk therefore depends on the exposure of Crow-based applications and the presence of user‑controlled header inputs.

Generated by OpenCVE AI on June 3, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CrowCpp to the latest release that includes the response header validation fix.
  • Apply the patch referenced in pull request #1167 if you cannot upgrade the library package, by replacing the affected code in your project with the patched version.
  • Implement input validation on any headers generated by your application to reject CR, LF, or non‑ASCII characters before they are written to the response.
  • Deploy a web application firewall or equivalent that blocks responses containing malformed or unexpected header lines.

Generated by OpenCVE AI on June 3, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Title CrowCpp Crow v1.3.1 Response Header Injection Vulnerability
Weaknesses CWE-113
CWE-20

Wed, 03 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Crowcpp
Crowcpp crow
Vendors & Products Crowcpp
Crowcpp crow

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
References

Subscriptions

Crowcpp Crow
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-02T17:38:17.490Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38967

cve-icon Vulnrichment

Updated: 2026-06-03T16:04:59.095Z

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:35.487

Modified: 2026-06-02T20:16:35.487

Link: CVE-2026-38967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T05:00:12Z

Weaknesses