PT-2026-39726 · Cowlib · Cowlib
Loïc Hoguin
+1
·
Published
2026-05-11
·
Updated
2026-05-27
·
CVE-2026-43968
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
cowlib versions 2.6.0 and later
Description
Improper Neutralization of CRLF Sequences (CRLF Injection) allows SSE event splitting and injection through unvalidated field values. The
cow sse:event/1 function guards the id and event fields against but not against r, while the internal prefix lines/2 function used for data and comment fields only splits on . Since the SSE specification treats r , r, and as equivalent line terminators, an attacker controlling these fields can inject additional SSE lines to forge events with arbitrary types and data payloads. In environments where browser EventSource clients or other SSE consumers render event.data or dispatch on event.type, this can lead to client-side logic manipulation and stored-XSS-equivalent behavior when data is inserted into the DOM.Recommendations
For versions 2.6.0 and later, sanitize user-controlled values before passing them to
cow sse:event/1 by rejecting or stripping any value containing r or characters in the id, event, data, and comment fields.
Ensure all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cowlib