CVE-2026-43969

LOW EPSS 4.2%
Published May 11, 20261mo ago · Modified Jun 17, 20262w ago
2.1 CVSS 4.0
Low
Find Similar
Published May 11, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check. This issue affects cowlib from 2.9.0.

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
4.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-93

Affected Products 1

VendorProductVersionRange
nineninescowlib*≥2.9.0  –  ≤2.16.1

References 3

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-43969.html
    Vendor Advisory
  • github.com https://github.com/erlef/cowlib/commit/177953dd51540da11090666c1f007214127a1144
    Patch
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-43969
    Third Party Advisory

Remediation

  • github.com https://github.com/erlef/cowlib/commit/177953dd51540da11090666c1f007214127a1144
    Patch