CVE-2026-34715

Name of the Vulnerable Software and Affected Versions Ewe versions prior to 3.0.6

Description The encode headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (r ) sequences. This allows an attacker to inject arbitrary HTTP response content when user-controlled data is passed into response headers, potentially leading to response splitting, cache poisoning, and cross-site scripting. The issue stems from the lack of validation for outgoing response headers, while incoming request headers are validated via validate field value() in the HTTP/1.1 parser. The vulnerable code is located in the encode headers function, where both key and value are directly embedded into the output BitArray without sanitization. An example of exploitation involves setting a Location redirect header from a request parameter containing CRLF sequences.

Recommendations Update to version 3.0.6 or later.