CVE-2026-43966— Cowlib 注入漏洞

HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting. This issue affects cowlib from 2.9.0.

N/A

HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)

Cowlib 注入漏洞

Cowlib是Nine Nines开源的一个Web协议消息解析与构建库。 Cowlib 2.9.0版本存在注入漏洞，该漏洞源于CRLF序列中和不当，可能导致HTTP响应拆分，允许攻击者通过结构化字段字符串值中的非VCHAR字节注入CRLF。

N/A

N/A