cowlib: Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1 — CVE-2026-43969
GitHub · GitHub · CVE-2026-43969
ID
CVE-2026-43969
CVE-2026-43969
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
low
low
CVSS
2.1
2.1
EPSS
0.00026
0.00026
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject…
Product
erlang: cowlib
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.