CVE-2026-43969
Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check. This issue affects cowlib from 2.9.0.
Is your site exposed to CVE-2026-43969?
Run a free security scan — no signup, results in seconds.
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-43969? +
How do I check if I'm vulnerable to CVE-2026-43969? +
Related Vulnerabilities
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow …
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty …
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows …
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field …
Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit attributes (Header, HeaderCollection …
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling. In …