CVE-2026-43969

Name of the Vulnerable Software and Affected Versions cowlib versions 2.9.0 and later

Description Improper Neutralization of CRLF Sequences (CRLF Injection) occurs when the cow cookie:cookie/1 function builds a client-side Cookie request header from name-value pairs without validating the fields. An attacker controlling these names or values can inject characters such as ;, ,, CR, LF, or TAB into the serialized header. This allows for cookie smuggling, where phantom cookies are introduced to be treated as authentic by the receiving server, and HTTP request header splitting, which enables the appending of arbitrary headers or the smuggling of a second request against a shared upstream proxy.

Recommendations For versions 2.9.0 and later, validate inputs passed to the cow cookie:cookie/1 function to ensure they only include valid cookie name and value characters as defined in RFC 6265 Section 4.1.1. As a temporary mitigation, restrict the use of attacker-controlled bytes as cookie names or values when calling the cow cookie:cookie/1 function.