EEF-CVE-2026-43966

## Summary

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.

cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.

This issue affects cowlib from 2.9.0.

## Workaround

Validate all values passed into structured-fields header builders (directly via cow_http_struct_hd:item/1 or indirectly via higher-level wrappers) before calling the encoder. Reject any value that is not from a trusted, application-controlled source or that contains CR (\r) or LF (\n) bytes.

Applications using cowboy 2.16.0 or later are protected on the server side by the invalid_response_headers option (defaults to error_terminate), which rejects any outgoing response header value containing CR or LF before it reaches the wire. Applications using gun 2.4.0 or later are protected on the client side by the invalid_request_headers request option (defaults to raise), which raises an exception when an outgoing request header value contains CR or LF.

## Configuration

The application must pass attacker-controlled data as a string value into cow_http_struct_hd:item/1 (or a wrapper that delegates to it). Applications that construct structured-fields header values exclusively from trusted, application-controlled values are not affected.