CVE-2026-43969 Overview
CVE-2026-43969 is a Carriage Return Line Feed (CRLF) injection vulnerability in ninenines cowlib, an HTTP support library used by the Erlang Cowboy web server ecosystem. The cow_cookie:cookie/1 encoder builds a client-side Cookie: request header from name-value pairs without validating either field. Attackers who control cookie names or values can inject ;, ,, CR, LF, or TAB characters into the serialized header. The flaw enables cookie smuggling within a single header and HTTP request header splitting against shared upstream proxies. The issue affects cowlib from version 2.9.0.
Critical Impact
Unvalidated cookie name and value fields allow attackers to inject phantom cookies or smuggle complete secondary HTTP requests through shared proxies.
Affected Products
- ninenines cowlib versions starting at 2.9.0
- Erlang/OTP applications using cow_cookie:cookie/1 for client-side cookie serialization
- Cowboy-based HTTP clients and proxies that depend on cowlib for header construction
Discovery Timeline
- 2026-05-11 - CVE-2026-43969 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43969
Vulnerability Analysis
The vulnerability resides in the cow_cookie:cookie/1 function inside cowlib. The function concatenates supplied cookie names and values directly into a Cookie: request header without rejecting separator or control characters. An attacker who influences either field can inject characters that change the semantic structure of the header. Two attack classes follow from this primitive. First, injecting a sequence such as ; admin=1 introduces a phantom cookie that the receiving server parses as authentic. Second, injecting \r\n appends arbitrary headers or smuggles a complete second HTTP request through any shared upstream proxy. The vulnerability is classified under CWE-93: Improper Neutralization of CRLF Sequences.
Root Cause
The encoder lacks input validation on cookie name and value fields. The matching decoder functions parse_cookie_name/1 and parse_cookie_value/1, along with the server-side setcookie/3 encoder, already validate and reject the same characters. Only the client-side cookie/1 encoder is missing the check, creating an asymmetry between encode and decode paths.
Attack Vector
Exploitation requires that an attacker control cookie names or values passed into cow_cookie:cookie/1. Applications that forward user-supplied identifiers, session tokens, or tracking values into outbound HTTP requests through cowlib are the primary exposure. The injected payload travels with the outbound request and is interpreted either by the destination server (cookie smuggling) or by an intermediate proxy (request splitting and smuggling). See the Erlef CNA advisory for the upstream description and the GitHub commit for the fix.
Detection Methods for CVE-2026-43969
Indicators of Compromise
- Outbound HTTP requests containing CR (\r), LF (\n), or TAB characters within Cookie: header values
- Cookie: headers containing unexpected ; or , separators introduced by attacker-controlled fields
- Upstream proxy logs showing desynchronization, duplicate request boundaries, or unexpected secondary requests originating from a single client connection
Detection Strategies
- Inventory Erlang applications and identify dependencies on cowlib 2.9.0 or later, including transitive dependencies pulled through Cowboy or Gun
- Inspect call sites of cow_cookie:cookie/1 and confirm whether attacker-influenced data reaches the cookie name or value arguments
- Deploy egress inspection that flags HTTP request headers containing raw CRLF or control characters in cookie fields
Monitoring Recommendations
- Log and alert on cookie field anomalies such as embedded separators or non-printable bytes in outbound traffic
- Monitor reverse proxy and CDN telemetry for HTTP request smuggling indicators, including mismatched Content-Length values and unexpected pipelined requests
- Track dependency manifests (rebar.config, mix.exs) for upgrades to the patched cowlib release
How to Mitigate CVE-2026-43969
Immediate Actions Required
- Upgrade cowlib to the patched version that includes commit 177953dd51540da11090666c1f007214127a1144
- Audit application code for any caller passing attacker-controlled data into cow_cookie:cookie/1 and add input validation at those boundaries
- Validate cookie names and values against an allowlist that excludes ;, ,, CR, LF, and TAB before serialization
Patch Information
The upstream fix is published in the cowlib repository under commit 177953dd51540da11090666c1f007214127a1144. The patch adds validation to the encoder path so that cow_cookie:cookie/1 rejects the same characters already rejected by parse_cookie_name/1, parse_cookie_value/1, and setcookie/3. Additional metadata is available through the OSV entry EEF-CVE-2026-43969.
Workarounds
- Wrap calls to cow_cookie:cookie/1 with a validation function that strips or rejects CR, LF, TAB, ;, and , from names and values
- Constrain upstream input sources so cookie fields cannot contain raw user input until the library is upgraded
- Terminate HTTP connections to shared upstream proxies after each request to limit request smuggling exposure
# Update cowlib in a rebar3 project after patching
rebar3 upgrade cowlib
rebar3 deps
# Or in a mix project
mix deps.update cowlib
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
