The flaw stems from cow_http_struct_hd:escape_string/2 in the cowlib library, which only escapes backslash and quote characters but passes all other byte values unchanged. This creates an asymmetry between the encoder and its parser—while the decoder accepts only printable ASCII characters, the encoder can emit any byte, including carriage return and line feed. When an application constructs a structured HTTP header using cow_http_struct_hd:item/1 or higher‑level wrappers and incorporates attacker‑controlled data, the non‑VCHAR CR or LF bytes become part of the serialized header value. Once transmitted, these injected CRLF sequences terminate the current header and treat following data as a new header, enabling response‑splitting attacks that can lead to header injection, cache poisoning or cross‑site scripting. The associated weakness is identified as CWE‑113, improper neutralization of CRLF sequences in HTTP headers.

The vulnerability is present in versions of the cowlib library from 2.9.0 onward. Applications that depend on cowlib directly, or through higher‑level frameworks such as cowboy 2.16.0+ and gun 2.4.0+, are potentially exposed. Practical mitigation is available in those frameworks via configuration: cowboy can be configured with invalid_response_headers set to error_terminate, while gun offers an invalid_request_headers option that raises an exception when a header contains CR or LF. However, any user of cowlib that does not honor these options remains vulnerable.

With a CVSS score of 6.3, the vulnerability is considered moderate severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, indicating that it is not a known actively exploited vulnerability at this time. The attack vector requires an attacker to influence the content of a header constructed by the application. In practice this could be exploited via crafted HTTP requests to the target service if the application forwards or incorporates untrusted input into structured HTTP headers.