Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.

cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.

This issue affects cowlib from 2.6.0.
Published: 2026-05-11
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

cowlib’s SSE encoder fails to neutralize CR characters while LF characters are allowed, creating a CRLF injection flaw that enables an attacker to append additional SSE lines. The attacker can forge events with arbitrary event types and data, leading to client‑side logic manipulation and stored‑XSS‑equivalent effects when the data is injected into the DOM. This is a CWE‑93 Input Validation weakness that permits injection and XSS‑like outcomes.

Affected Systems

The vulnerability affects the cowlib library maintained by ninenines, from version 2.6.0 and later. No other vendors are impacted. Applications that use cow_sse:event/1 to deliver Server‑Sent Events are exposed.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, and the EPSS score is currently unavailable. The issue is not listed in the CISA KEV catalog. Exploitation requires simply that an attacker can send CR or LF characters into the id, event, data, or comment fields sent to cow_sse:event/1. In typical deployments, browsers consume the forged events and may trigger unintended handling or DOM manipulation, posing a moderate to high risk for exposed services with minimal prerequisites.

Generated by OpenCVE AI on May 11, 2026 at 19:22 UTC.

Remediation

Vendor Workaround

Sanitize user-controlled values before passing them to cow_sse:event/1: reject or strip any value containing \r or \n characters in the id, event, data, and comment fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.

OpenCVE Recommended Actions

  • Upgrade cowlib to a patched version in which the SSE field validation properly rejects or sanitizes CR and LF characters; obtain the latest release from the project’s repository or package manager.
  • If an immediate upgrade is not possible, validate all user‑controlled SSE field values by rejecting or stripping any \r or \n characters before passing them to cow_sse:event/1; reject means returning an error to the client, strip means removing the characters from the payload.
  • Ensure that SSE payloads are built exclusively from trusted, application‑controlled data and avoid including raw user input in any of the id, event, data, or comment fields.

Generated by OpenCVE AI on May 11, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM. This issue affects cowlib from 2.6.0.
Title CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1
First Time appeared Ninenines
Ninenines cowlib
Weaknesses CWE-93
CPEs cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*
Vendors & Products Ninenines
Ninenines cowlib
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Ninenines Cowlib
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-11T18:57:38.074Z

Reserved: 2026-05-04T18:23:25.573Z

Link: CVE-2026-43968

cve-icon Vulnrichment

Updated: 2026-05-11T18:57:24.423Z

cve-icon NVD

Status : Received

Published: 2026-05-11T19:16:25.100

Modified: 2026-05-11T19:16:25.100

Link: CVE-2026-43968

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T19:30:06Z

Weaknesses