HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2
CVE-2026-43966

6.3MEDIUM

Key Information:

Vendor: Ninenines
Status: Cowlib
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-43966?

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.

cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and ), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.

This issue affects cowlib from 2.9.0.

Affected Version(s)

cowlib 2.9.0

cowlib a8b793db3d6ffe91d62f81baf41b1dab4cd78fb6

References

https://cna.erlef.org/cves/CVE-2026-43966.html

relatedthird-party-advisory

https://osv.dev/vulnerability/EEF-CVE-2026-43966

https://github.com/ninenines/cowboy/commit/f77cb9b5e730e3...

mitigation

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 4, 2026

Credit

Peter Ullrich

Loïc Hoguin

CVE-2026-43966 Data

JSON

Ninenines

What is CVE-2026-43966?

Affected Version(s)

References

CVSS V4

Timeline

Credit