Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.

cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.

This issue affects cowlib from 2.9.0.
Published: 2026-05-11
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the cow_cookie:cookie/1 function in the cowlib Erlang library, which creates a Cookie request header from a list of name‑value pairs without validating the input. An attacker who can supply cookie names or values that contain control characters such as CR, LF, semicolon, comma or tab can inject arbitrary header delimiters or cookie attributes. This enables cookie smuggling—where a forged cookie like "; admin=1" is interpreted as a real cookie by the server—and HTTP request splitting, allowing a malicious person to append extra headers or even an entire second request to a shared upstream proxy. While the severity is low (CVSS 2.1), the impact is a compromise of authentication or request integrity when the vulnerable library is used in client‑side HTTP requests.

Affected Systems

The issue affects the ninenines cowlib Erlang library starting at version 2.9.0 and later releases that have not applied the fix. Users running this or newer versions are at risk. The vulnerability is tied to the cow_cookie module and may impact any application that builds outbound HTTP headers using cowlib without additional validation.

Risk and Exploitability

The CVSS score of 2.1 reflects a low likelihood of widespread exploitation, and the EPSS score is not available, suggesting limited current attack traffic. The vulnerability is listed in no KEV catalog. Exploitation requires the attacker to influence the arguments passed to cow_cookie:cookie/1, which typically means compromising the application logic or providing crafted inputs to a user‑controlled field that is forwarded to this function. Because the encoder is the only component lacking validation, the attack surface is limited to the construction phase of outgoing HTTP requests. While the risk remains low, the potential for cookie smuggling or request splitting can lead to authentication bypass or request tampering if the downstream server does not implement strict header validation.

Generated by OpenCVE AI on May 11, 2026 at 19:23 UTC.

Remediation

Vendor Workaround

Validate inputs into cow_cookie:cookie/1 to only include valid cookie name and value characters as defined in RFC 6265 Section 4.1.1 before passing them to the function.

OpenCVE Recommended Actions

  • Update cowlib to a version that includes the encoder validation for cookie name and value characters
  • Validate any input meant for cow_cookie:cookie/1 to contain only characters permitted by RFC 6265 Section 4.1.1 before calling the function
  • Implement monitoring for unexpected CR or LF sequences in outgoing Cookie headers to detect potential injection attempts

Generated by OpenCVE AI on May 11, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check. This issue affects cowlib from 2.9.0.
Title Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1
First Time appeared Ninenines
Ninenines cowlib
Weaknesses CWE-93
CPEs cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*
Vendors & Products Ninenines
Ninenines cowlib
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Ninenines Cowlib
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-12T04:26:34.206Z

Reserved: 2026-05-04T18:23:25.573Z

Link: CVE-2026-43969

cve-icon Vulnrichment

Updated: 2026-05-11T18:55:21.472Z

cve-icon NVD

Status : Received

Published: 2026-05-11T19:16:25.330

Modified: 2026-05-11T19:16:25.330

Link: CVE-2026-43969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:39Z

Weaknesses