Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.

cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.

This issue affects cowlib from 2.6.0 before 2.16.1.
Published: 2026-05-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of CRLF sequences in cowlib’s SSE encoder allows an attacker to inject carriage return characters into the id, event, data, or comment fields. Because the encoder only blocks line feed characters but not carriage returns, the GEL implementation can fork additional Server‑Sent Event lines, forging complete events with arbitrary event types and data strings. When a browser consumes these events, it may dispatch them to user‑defined handlers or render them in the DOM, leading to client‑side logic manipulation and stored‑XSS‑equivalent effects.

Affected Systems

The vulnerability affects the cowlib library by ninenines from version 2.6.0 up to but excluding 2.16.1. No other vendors are impacted. Applications that use the cow_sse:event/1 function to construct SSE payloads are exposed.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, and the EPSS score is currently unavailable. The issue is not listed in the CISA KEV catalog. Exploitation requires that an attacker be able to supply CR or LF characters into the SSE field values sent to cow_sse:event/1. In typical deployments, browsers consume the forged events and may trigger unintended handling or DOM manipulation, posing a moderate to high risk for exposed services with minimal prerequisites.

Generated by OpenCVE AI on May 12, 2026 at 13:21 UTC.

Remediation

Vendor Workaround

Sanitize user-controlled values before passing them to cow_sse:event/1: reject or strip any value containing \r or \n characters in the id, event, data, and comment fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.

OpenCVE Recommended Actions

  • Upgrade cowlib to a patched version that properly rejects or sanitizes CR and LF characters in SSE field values; obtain the latest release from the project’s repository or package manager.
  • If an immediate upgrade is not possible, validate all user‑controlled SSE field values by rejecting or stripping any \r or \n characters before passing them to cow_sse:event/1; reject means returning an error to the client, strip means removing the characters from the payload.
  • Ensure that SSE payloads are built exclusively from trusted, application‑controlled data and avoid including raw user input in any of the id, event, data, or comment fields.

Generated by OpenCVE AI on May 12, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hv23-4qp7-8c8r ninenines cowlib: Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability allows SSE event splitting and injection via unvalidated field values
History

Thu, 21 May 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Tue, 12 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM. This issue affects cowlib from 2.6.0. Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM. This issue affects cowlib from 2.6.0 before 2.16.1.

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM. This issue affects cowlib from 2.6.0.
Title CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1
First Time appeared Ninenines
Ninenines cowlib
Weaknesses CWE-93
CPEs cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*
Vendors & Products Ninenines
Ninenines cowlib
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Ninenines Cowlib
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-12T12:11:43.388Z

Reserved: 2026-05-04T18:23:25.573Z

Link: CVE-2026-43968

cve-icon Vulnrichment

Updated: 2026-05-11T18:57:24.423Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T19:16:25.100

Modified: 2026-05-21T13:59:07.077

Link: CVE-2026-43968

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T13:30:16Z

Weaknesses
  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')