Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.
cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20-0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.
This issue affects cowlib from 2.9.0.
AnalysisAI
HTTP response splitting in ninenines cowlib allows network-accessible attackers to inject arbitrary HTTP headers when applications route untrusted input through the library's structured-field encoder. The root cause is an encoder/decoder asymmetry in cow_http_struct_hd:escape_string/2: it escapes only backslash and double-quote, emitting all other bytes verbatim - including CR (0x0D) and LF (0x0A) - while the matching parser only accepts printable ASCII. Any Cowboy or Gun application that builds a structured HTTP header from attacker-controlled input via cow_http_struct_hd:item/1 or cow_http_hd:wt_protocol/1 is affected. No public exploit has been identified and this CVE does not appear in CISA KEV, but upstream fixes are available as commits to both Cowboy and Gun.
Technical ContextAI
cowlib is a shared Erlang HTTP utility library that underpins both the Cowboy HTTP/1.1 and HTTP/2 server and the Gun HTTP/WebSocket client. The vulnerability (CWE-113, Improper Neutralization of CRLF Sequences in HTTP Headers) lives in cow_http_struct_hd, cowlib's implementation of RFC 8941 structured fields. The escape_string/2 function that serializes string items escapes only two bytes ('\' and '"'), passing every other byte through verbatim into the wire representation. The paired parser enforces that string values contain only printable ASCII (codepoints 0x20-0x7E excluding 0x22 and 0x5C), so a value accepted by the application layer can encode bytes - notably 0x0D and 0x0A - that the parser would reject but the encoder silently emits. Higher-level helpers like cow_http_hd:wt_protocol/1 compose structured headers using this encoder, meaning the injection surface extends to any framework feature built on top of it. Affected products are identified by CPE cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:* covering all versions from 2.9.0 onward per EUVD-2026-35131.
RemediationAI
Upstream fixes have been committed to both Cowboy and Gun but a tagged cowlib release version incorporating the root-cause fix has not been confirmed from the available data - treat these as upstream-fix-available-but-release-unconfirmed. The Cowboy commit (https://github.com/ninenines/cowboy/commit/f77cb9b5e730e300fffb551db1ba5d1c4ed878ef) introduces an invalid_response_headers option defaulting to error_terminate, which scans all outgoing response and trailer headers for raw CR or LF bytes and responds with HTTP 500 or drops the connection on detection; setting this option to ignore disables the check entirely and must not be used in production. The Gun commit (https://github.com/ninenines/gun/commit/4f35609eb37109b106a863fc9ba83d7ee64e3e42) adds an invalid_request_headers option defaulting to raise, which throws an exception when CRLF bytes are detected in outgoing request headers. As a compensating control pending a full dependency update, applications should sanitize any input passed to cow_http_struct_hd:item/1 or cow_http_hd:wt_protocol/1 by rejecting or stripping values containing bytes 0x0D or 0x0A before invoking the encoder; this has no functional side effect for well-formed HTTP values. Consult https://vuldb.com/vuln/369277 for additional advisory tracking.
Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. T
Unauthenticated remote denial of service in ninenines cowlib (versions 0.1.0 through 2.16.0) allows a single crafted SPD
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splittin
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request split
Same weakness CWE-113 – HTTP Response Splitting
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35131
GHSA-w4f7-4cxr-rv3c