CVE-2026-43968 Overview
CVE-2026-43968 is a CRLF injection vulnerability [CWE-93] in the cowlib library maintained by ninenines, used by the Cowboy HTTP server in the Erlang ecosystem. The flaw affects the cow_sse:event/1 function, which builds Server-Sent Events (SSE) frames. The function guards id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Attackers controlling any SSE field value can inject additional event lines and forge complete events with arbitrary types and payloads. This affects cowlib versions from 2.6.0 before 2.16.1.
Critical Impact
Attackers can inject forged SSE events that browser EventSource consumers will dispatch and render, enabling client-side logic manipulation and stored-XSS-equivalent behaviour when event data reaches the DOM.
Affected Products
- ninenines cowlib 2.6.0 through 2.16.0
- Cowboy HTTP server deployments using vulnerable cowlib for SSE responses
- Erlang/OTP applications consuming user-controlled values in cow_sse:event/1
Discovery Timeline
- 2026-05-11 - CVE CVE-2026-43968 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43968
Vulnerability Analysis
The SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators. The cow_sse:event/1 function in cowlib enforces only a subset of these terminators when validating field values. The event_id and event_event clauses reject \n but accept bare \r, while prefix_lines/2, which handles data and comment fields, splits exclusively on \n and passes \r through unchanged.
When an attacker injects a \r character into any controlled field, the receiving SSE parser interprets it as a new line. The attacker can then append event: and data: directives, producing a fully forged event with an arbitrary type and payload. Browser EventSource clients dispatch based on event.type and frequently insert event.data into the DOM, which converts the injection into client-side code execution paths.
Root Cause
The root cause is incomplete neutralization of line terminators in SSE field encoders. The validation logic checks only for \n and ignores the \r and \r\n sequences that the SSE specification mandates as equivalent. Field values originating from untrusted sources are concatenated directly into the response stream without normalization.
Attack Vector
Exploitation requires the application to pass attacker-influenced data into cow_sse:event/1 field values such as id, event, data, or comment. The attacker submits a value containing \r followed by SSE directives. The server emits the malformed frame to all subscribed clients, and each consumer parses the injected lines as a separate event.
event_id(#{id := ID}) ->
- nomatch = binary:match(iolist_to_binary(ID), <<"\n">>),
+ nomatch = binary:match(iolist_to_binary(ID),
+ [<<"\r\n">>, <<"\r">>, <<"\n">>]),
[<<"id: ">>, ID, $\n];
event_id(_) ->
[].
Source: GitHub Commit 6165fc4. The patch extends binary:match/2 to reject all three line terminator forms across every SSE field encoder.
Detection Methods for CVE-2026-43968
Indicators of Compromise
- SSE response bodies containing unexpected \r bytes inside id:, event:, or data: field values
- Client-side telemetry showing dispatched event types that the application does not emit
- Unexpected DOM mutations or script execution traced back to EventSource.onmessage or named event handlers
Detection Strategies
- Inspect outbound SSE streams for \r characters appearing anywhere other than as part of a deliberate \r\n line terminator emitted by the server
- Audit Erlang/Cowboy applications for calls to cow_sse:event/1 where field values originate from request parameters, headers, or database fields populated by users
- Run dependency scanning against rebar.lock and mix.lock to identify cowlib versions earlier than 2.16.1
Monitoring Recommendations
- Log SSE response payloads in non-production environments and alert on bare \r occurrences within field values
- Capture browser-side error events from EventSource consumers to surface anomalous event types
- Monitor web application firewall logs for request parameters containing URL-encoded %0D sequences targeting endpoints that produce SSE responses
How to Mitigate CVE-2026-43968
Immediate Actions Required
- Upgrade cowlib to version 2.16.1 or later across all Erlang/Elixir applications
- Rebuild and redeploy any release that statically links a vulnerable cowlib version
- Audit application code that builds SSE events from user-supplied input and add explicit rejection of \r and \n characters
Patch Information
The fix is committed in cowlib commit 6165fc40efa159ba1cceee7e7981e790acba5d9c and shipped in version 2.16.1. The patch extends line-terminator validation across event_id, event_event, prefix_lines, and related encoders to reject \r\n, \r, and \n. Refer to the CNA CVE-2026-43968 Advisory and the OSV Vulnerability Report EEF-CVE-2026-43968 for full advisory details.
Workarounds
- Sanitize all untrusted values before passing them to cow_sse:event/1 by stripping or rejecting \r and \n bytes
- Apply output encoding on the client so that event.data is inserted using textContent rather than innerHTML
- Restrict the set of event types the client dispatches by allow-listing handlers and ignoring unknown event names
# Pin cowlib to the patched version in rebar.config
{deps, [
{cowlib, "2.16.1"}
]}.
# Or in mix.exs for Elixir projects
# {:cowlib, "~> 2.16.1", override: true}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
