Search criteria
5 vulnerabilities by ninenines
CVE-2026-43970 (GCVE-0-2026-43970)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:43 – Updated: 2026-05-15 04:33
VLAI
Title
Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame
Summary
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.
cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.
This issue affects cowlib from 0.1.0 before 2.16.1.
Severity
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43970.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43970 | related |
| https://github.com/ninenines/cowlib/commit/16aad3… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43970",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:38:59.086048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:39:10.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_spdy"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_spdy.erl"
],
"programRoutines": [
{
"name": "cow_spdy:parse/2"
},
{
"name": "cow_spdy:inflate/2"
},
{
"name": "cow_spdy:parse_headers/2"
},
{
"name": "cow_spdy:parse_headers/4"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_spdy"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_spdy.erl"
],
"programRoutines": [
{
"name": "cow_spdy:parse/2"
},
{
"name": "cow_spdy:inflate/2"
},
{
"name": "cow_spdy:parse_headers/2"
},
{
"name": "cow_spdy:parse_headers/4"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "16aad3fb9f81f5cda4d1706ff0c54237c619c282",
"status": "affected",
"version": "fad5c0049df278cc498b6cdb519b09e845a070a8",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must use \u003ctt\u003ecow_spdy:parse/2\u003c/tt\u003e to parse SPDY frames from an untrusted peer. cowboy itself does not use \u003ctt\u003ecow_spdy\u003c/tt\u003e; only direct callers of the \u003ctt\u003ecow_spdy\u003c/tt\u003e API are affected.\u003c/p\u003e"
}
],
"value": "The application must use cow_spdy:parse/2 to parse SPDY frames from an untrusted peer. cowboy itself does not use cow_spdy; only direct callers of the cow_spdy API are affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.16.1",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_spdy:inflate/2\u003c/tt\u003e in cowlib passes peer-supplied compressed bytes directly to \u003ctt\u003ezlib:inflate/2\u003c/tt\u003e with no output size bound. The SPDY header compression dictionary (\u003ctt\u003e?ZDICT\u003c/tt\u003e) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for \u003ctt\u003esyn_stream\u003c/tt\u003e, \u003ctt\u003esyn_reply\u003c/tt\u003e, and \u003ctt\u003eheaders\u003c/tt\u003e frame types are all affected via \u003ctt\u003ecow_spdy:parse_headers/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 0.1.0 before 2.16.1.\u003c/p\u003e"
}
],
"value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.\n\ncow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.\n\nThis issue affects cowlib from 0.1.0 before 2.16.1."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T04:33:30.898Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43970.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43970"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpgrade to cowlib 2.16.1 or later, in which the \u003ctt\u003ecow_spdy\u003c/tt\u003e module has been removed entirely. No patched version of \u003ctt\u003ecow_spdy\u003c/tt\u003e will be provided. Migrate away from SPDY, which has been deprecated since 2015 in favour of HTTP/2.\u003c/p\u003e"
}
],
"value": "Upgrade to cowlib 2.16.1 or later, in which the cow_spdy module has been removed entirely. No patched version of cow_spdy will be provided. Migrate away from SPDY, which has been deprecated since 2015 in favour of HTTP/2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43970",
"datePublished": "2026-05-13T18:43:11.640Z",
"dateReserved": "2026-05-04T18:23:25.574Z",
"dateUpdated": "2026-05-15T04:33:30.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8466 (GCVE-0-2026-8466)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:26 – Updated: 2026-05-14 04:30
VLAI
Title
Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy
Summary
Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.
cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.
This issue affects cowboy from 2.0.0 before 2.15.0.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-8466.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-8466 | related |
| https://github.com/ninenines/cowboy/commit/5c6a20… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:46:37.406887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:52:29.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cowboy_req"
],
"packageName": "cowboy",
"packageURL": "pkg:hex/cowboy",
"product": "cowboy",
"programFiles": [
"src/cowboy_req.erl"
],
"programRoutines": [
{
"name": "cowboy_req:read_part/1"
},
{
"name": "cowboy_req:read_part/2"
},
{
"name": "cowboy_req:read_part/3"
}
],
"repo": "https://github.com/ninenines/cowboy",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.15.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cowboy_req"
],
"packageName": "ninenines/cowboy",
"packageURL": "pkg:github/ninenines/cowboy",
"product": "cowboy",
"programFiles": [
"src/cowboy_req.erl"
],
"programRoutines": [
{
"name": "cowboy_req:read_part/1"
},
{
"name": "cowboy_req:read_part/2"
},
{
"name": "cowboy_req:read_part/3"
}
],
"repo": "https://github.com/ninenines/cowboy",
"vendor": "ninenines",
"versions": [
{
"lessThan": "5c6a2061b41bb5771c4659fac7d5a822dca5bafb",
"status": "affected",
"version": "917cf99e10c41676183d501b86af6e47c95afb89",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must expose an HTTP endpoint that calls \u003ctt\u003ecowboy_req:read_part/1,2\u003c/tt\u003e to process \u003ctt\u003emultipart/form-data\u003c/tt\u003e request bodies. Deployments that do not handle multipart uploads are not affected.\u003c/p\u003e"
}
],
"value": "The application must expose an HTTP endpoint that calls cowboy_req:read_part/1,2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.15.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecowboy_req:read_part/3\u003c/tt\u003e in \u003ctt\u003esrc/cowboy_req.erl\u003c/tt\u003e accumulates incoming request bytes into a \u003ctt\u003eBuffer\u003c/tt\u003e binary with no upper-bound check. When \u003ctt\u003ecow_multipart:parse_headers/2\u003c/tt\u003e returns \u003ctt\u003emore\u003c/tt\u003e or \u003ctt\u003e{more, Buffer2}\u003c/tt\u003e, the function reads up to \u003ctt\u003eLength\u003c/tt\u003e bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the \u003ctt\u003ebyte_size(Acc) \u0026gt; Length\u003c/tt\u003e guard present in the sibling function \u003ctt\u003eread_part_body/4\u003c/tt\u003e. An unauthenticated attacker can send a \u003ctt\u003emultipart/form-data\u003c/tt\u003e request whose body never yields a complete header section \u2014 for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \u003ctt\u003e\\r\\n\\r\\n\u003c/tt\u003e \u2014 and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.\u003c/p\u003e\u003cp\u003eThis issue affects cowboy from 2.0.0 before 2.15.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\ncowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) \u003e Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section \u2014 for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \\r\\n\\r\\n \u2014 and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.\n\nThis issue affects cowboy from 2.0.0 before 2.15.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T04:30:32.552Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-8466.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-8466"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5771c4659fac7d5a822dca5bafb"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-8466",
"datePublished": "2026-05-13T18:26:21.089Z",
"dateReserved": "2026-05-13T11:44:39.149Z",
"dateUpdated": "2026-05-14T04:30:32.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43968 (GCVE-0-2026-43968)
Vulnerability from cvelistv5 – Published: 2026-05-11 18:06 – Updated: 2026-05-12 12:11
VLAI
Title
CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.
cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.
This issue affects cowlib from 2.6.0 before 2.16.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43968.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43968 | related |
| https://github.com/ninenines/cowlib/commit/6165fc… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:57:13.541982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:57:38.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_sse"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_sse.erl"
],
"programRoutines": [
{
"name": "cow_sse:event/1"
},
{
"name": "cow_sse:event_id/1"
},
{
"name": "cow_sse:event_name/1"
},
{
"name": "cow_sse:event_data/1"
},
{
"name": "cow_sse:event_comment/1"
},
{
"name": "cow_sse:prefix_lines/2"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "2.6.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_sse"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_sse.erl"
],
"programRoutines": [
{
"name": "cow_sse:event/1"
},
{
"name": "cow_sse:event_id/1"
},
{
"name": "cow_sse:event_name/1"
},
{
"name": "cow_sse:event_data/1"
},
{
"name": "cow_sse:event_comment/1"
},
{
"name": "cow_sse:prefix_lines/2"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "6165fc40efa159ba1cceee7e7981e790acba5d9c",
"status": "affected",
"version": "93b2b897cde238506c803faad4d1602d79dba7c9",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must pass user-controlled data as the \u003ctt\u003eid\u003c/tt\u003e, \u003ctt\u003eevent\u003c/tt\u003e, \u003ctt\u003edata\u003c/tt\u003e, or \u003ctt\u003ecomment\u003c/tt\u003e field to \u003ctt\u003ecow_sse:event/1\u003c/tt\u003e (or a higher-level wrapper such as \u003ctt\u003ecowboy_req:stream_events/3\u003c/tt\u003e). Applications that construct SSE events exclusively from trusted, application-controlled values are not affected.\u003c/p\u003e"
}
],
"value": "The application must pass user-controlled data as the id, event, data, or comment field to cow_sse:event/1 (or a higher-level wrapper such as cowboy_req:stream_events/3). Applications that construct SSE events exclusively from trusted, application-controlled values are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.16.1",
"versionStartIncluding": "2.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_sse:event/1\u003c/tt\u003e in cowlib guards the \u003ctt\u003eid\u003c/tt\u003e and \u003ctt\u003eevent\u003c/tt\u003e fields against \u003ctt\u003e\\n\u003c/tt\u003e but not against bare \u003ctt\u003e\\r\u003c/tt\u003e, and the internal \u003ctt\u003eprefix_lines/2\u003c/tt\u003e function used for \u003ctt\u003edata\u003c/tt\u003e and \u003ctt\u003ecomment\u003c/tt\u003e fields splits only on \u003ctt\u003e\\n\u003c/tt\u003e. Because the SSE specification requires decoders to treat \u003ctt\u003e\\r\\n\u003c/tt\u003e, \u003ctt\u003e\\r\u003c/tt\u003e, and \u003ctt\u003e\\n\u003c/tt\u003e as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser \u003ctt\u003eEventSource\u003c/tt\u003e clients or other SSE consumers dispatch on \u003ctt\u003eevent.type\u003c/tt\u003e and render \u003ctt\u003eevent.data\u003c/tt\u003e, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 2.6.0 before 2.16.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\n\ncow_sse:event/1 in cowlib guards the id and event fields against \\n but not against bare \\r, and the internal prefix_lines/2 function used for data and comment fields splits only on \\n. Because the SSE specification requires decoders to treat \\r\\n, \\r, and \\n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\n\nThis issue affects cowlib from 2.6.0 before 2.16.1."
}
],
"impacts": [
{
"capecId": "CAPEC-34",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-34 HTTP Response Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:11:43.388Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43968.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43968"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSanitize user-controlled values before passing them to \u003ctt\u003ecow_sse:event/1\u003c/tt\u003e: reject or strip any value containing \u003ctt\u003e\\r\u003c/tt\u003e or \u003ctt\u003e\\n\u003c/tt\u003e characters in the \u003ctt\u003eid\u003c/tt\u003e, \u003ctt\u003eevent\u003c/tt\u003e, \u003ctt\u003edata\u003c/tt\u003e, and \u003ctt\u003ecomment\u003c/tt\u003e fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.\u003c/p\u003e"
}
],
"value": "Sanitize user-controlled values before passing them to cow_sse:event/1: reject or strip any value containing \\r or \\n characters in the id, event, data, and comment fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43968",
"datePublished": "2026-05-11T18:06:42.881Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-12T12:11:43.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7790 (GCVE-0-2026-7790)
Vulnerability from cvelistv5 – Published: 2026-05-11 18:06 – Updated: 2026-05-26 19:46
VLAI
Title
Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS
Summary
Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.
The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.
This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4.
This issue affects cowlib: from 0.6.0 before 2.16.1.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-7790.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-7790 | related |
| https://github.com/ninenines/cowlib/commit/a4b803… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7790",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:56:19.590262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:56:31.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_http_te"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_http_te.erl"
],
"programRoutines": [
{
"name": "cow_http_te:stream_chunked/2"
},
{
"name": "cow_http_te:chunked_len/4"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "0.6.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_http_te"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_http_te.erl"
],
"programRoutines": [
{
"name": "cow_http_te:stream_chunked/2"
},
{
"name": "cow_http_te:chunked_len/4"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "a4b8039ce8c93ab00867ef6b7e888822c09f4369",
"status": "affected",
"version": "8c0e428b012c59f553a264f285ed89d36f791e3e",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.16.1",
"versionStartIncluding": "0.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.\u003cp\u003eThe chunked transfer-encoding parser in \u003ctt\u003ecow_http_te\u003c/tt\u003e accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (\u003ctt\u003eLen * 16 + digit\u003c/tt\u003e), so parsing \u003ctt\u003eN\u003c/tt\u003e hex digits requires O(N\u00b2) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N\u00b3). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with \u003ctt\u003eTransfer-Encoding: chunked\u003c/tt\u003e and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003esrc/cow_http_te.erl\u003c/tt\u003e and program routines \u003ctt\u003ecow_http_te:stream_chunked/2\u003c/tt\u003e, \u003ctt\u003ecow_http_te:chunked_len/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib: from 0.6.0 before 2.16.1.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.\n\nThe chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N\u00b2) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N\u00b3). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.\n\nThis vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4.\n\nThis issue affects cowlib: from 0.6.0 before 2.16.1."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:42.244Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-7790.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-7790"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Cowboy, setting \u003ctt\u003einitial_stream_flow_size\u003c/tt\u003e to a much lower value limits the amount of chunked body data that cowlib will parse in a single read, reducing the window of data an attacker can use to trigger the quadratic work. This does not fully eliminate the vulnerability but can significantly reduce its impact for some applications.\u003c/p\u003e"
}
],
"value": "In Cowboy, setting initial_stream_flow_size to a much lower value limits the amount of chunked body data that cowlib will parse in a single read, reducing the window of data an attacker can use to trigger the quadratic work. This does not fully eliminate the vulnerability but can significantly reduce its impact for some applications."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-7790",
"datePublished": "2026-05-11T18:06:41.490Z",
"dateReserved": "2026-05-04T18:23:21.380Z",
"dateUpdated": "2026-05-26T19:46:42.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43969 (GCVE-0-2026-43969)
Vulnerability from cvelistv5 – Published: 2026-05-11 18:06 – Updated: 2026-05-12 04:26
VLAI
Title
Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.
cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.
This issue affects cowlib from 2.9.0.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43969.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43969 | related |
| https://github.com/erlef/cowlib/commit/177953dd51… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43969",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:55:16.028478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:55:26.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_cookie"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_cookie.erl"
],
"programRoutines": [
{
"name": "cow_cookie:cookie/1"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"status": "affected",
"version": "2.9.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_cookie"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_cookie.erl"
],
"programRoutines": [
{
"name": "cow_cookie:cookie/1"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"status": "affected",
"version": "f017f8a0ecbffd5033d9ab49bf180186f7a523a7",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must pass attacker-controlled bytes as cookie names or values to \u003ctt\u003ecow_cookie:cookie/1\u003c/tt\u003e. Applications that construct cookie lists exclusively from trusted, application-controlled values are not affected.\u003c/p\u003e"
}
],
"value": "The application must pass attacker-controlled bytes as cookie names or values to cow_cookie:cookie/1. Applications that construct cookie lists exclusively from trusted, application-controlled values are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_cookie:cookie/1\u003c/tt\u003e in cowlib builds a client-side \u003ctt\u003eCookie:\u003c/tt\u003e request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject \u003ctt\u003e;\u003c/tt\u003e, \u003ctt\u003e,\u003c/tt\u003e, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting \u003ctt\u003e; admin=1\u003c/tt\u003e to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (\u003ctt\u003eparse_cookie_name/1\u003c/tt\u003e, \u003ctt\u003eparse_cookie_value/1\u003c/tt\u003e) and \u003ctt\u003esetcookie/3\u003c/tt\u003e already validate and reject these characters; the encoder alone is missing the check.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 2.9.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.\n\ncow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting \"; admin=1\" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.\n\nThis issue affects cowlib from 2.9.0."
}
],
"impacts": [
{
"capecId": "CAPEC-105",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-105 HTTP Request Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T04:26:34.206Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43969.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43969"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlef/cowlib/commit/177953dd51540da11090666c1f007214127a1144"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eValidate inputs into \u003ctt\u003ecow_cookie:cookie/1\u003c/tt\u003e to only include valid cookie name and value characters as defined in RFC 6265 Section 4.1.1 before passing them to the function.\u003c/p\u003e"
}
],
"value": "Validate inputs into cow_cookie:cookie/1 to only include valid cookie name and value characters as defined in RFC 6265 Section 4.1.1 before passing them to the function."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43969",
"datePublished": "2026-05-11T18:06:40.667Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-12T04:26:34.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}