CVE-2026-43966

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.

cow http struct hd:escape string/2 in cowlib only escapes and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and ), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow http struct hd:item/1 (or a higher-level wrapper such as cow http hd:wt protocol/1) from attacker-controlled input can have r injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.

This issue affects cowlib from 2.9.0.