Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector for HTTP-based attack; AC:H for prerequisite of reflecting user data into cookies; S:C for cross-browser cookie security impact.
Primary rating from Vendor (6b3ad84c-e1a6-4bf7-a703-f496b71e49db).
CVSS VectorVendor: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes.
The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes.
An application that places attacker-controlled data into a cookie value or attribute (for example via Plug.Conn.put_resp_cookie/4 when reflecting a username or preference) lets an attacker inject a ';' to append or override cookie attributes (such as Domain and Path scope, or dropping the Secure and HttpOnly flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by Plug.Conn header validation, so HTTP response splitting is not possible, but attribute injection through ';' is not prevented.
This issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3.
AnalysisAI
Cookie attribute injection in elixir-plug's Plug library allows a remote attacker who can supply values reflected into Set-Cookie headers to inject the ; delimiter and override attributes such as Domain, Path, Secure, and HttpOnly. Applications calling Plug.Conn.put_resp_cookie/4 with user-controlled data - for example, reflecting a username or preference value - are exposed to session fixation and cookie tossing across five supported release lines (0.1.0 through 1.20.2). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application passes attacker-influenced data - such as a user-supplied username, locale preference, redirect path, or any other externally sourced value - directly into the value or optional attribute parameters (path, domain, same_site, extra) of `Plug.Conn.put_resp_cookie/4`. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CNA-assigned CVSS 4.0 score of 2.1 (AV:L/AC:L/AT:P/PR:N/UI:N) appears to underrepresent network reachability: the practical attack path is HTTP-based, not local system access, suggesting AV:L may reflect conservative scoring of a server-side code-quality issue rather than directly network-exploitable behavior. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers an account with a crafted username such as `alice; Domain=.attacker.com; Secure=false` and triggers an application flow where that value is reflected into a session cookie via `put_resp_cookie`. Because `Cookies.encode/2` interpolates the value without sanitizing `;`, the resulting `Set-Cookie` header includes the injected `Domain` attribute, causing the victim's browser to store the cookie with widened domain scope. … |
| Remediation | Upgrade Plug to the patched release for your active branch: 1.16.6, 1.17.4, 1.18.5, 1.19.5, or 1.20.3, referencing the upstream fix commit at https://github.com/elixir-plug/plug/commit/c6575800b2c4e15af1904df87522ca8a23da020c and the full advisory at https://github.com/elixir-plug/plug/security/advisories/GHSA-wpmj-jh88-rpgm. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42876