CVE-2026-43966
HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20โ0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting. This issue affects cowlib from 2.9.0.
| CWE | CWE-113 |
| Vendor | ninenines |
| Product | cowlib |
| Published | Jun 8, 2026 |
| Last Updated | Jun 9, 2026 |
Get instant alerts for ninenines cowlib
Be the first to know when new unknown vulnerabilities affecting ninenines cowlib are published โ delivered to Slack, Telegram or Discord.