PatchSiren cyber security CVE debrief
CVE-2026-43969 ninenines CVE debrief
CVE-2026-43969 is a low-scoring but real header-injection issue in cowlib’s client-side Cookie header encoder. If an application passes attacker-controlled cookie names or values into cow_cookie:cookie/1, the serialized header can be manipulated to smuggle extra cookie data or inject CRLF-separated headers/request data.
- Vendor
- ninenines
- Product
- cowlib
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-11
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-11
- Advisory updated
- 2026-05-21
Who should care
Teams using Ninenines cowlib to build outbound HTTP Cookie headers, especially applications that derive cookie names or values from untrusted input, multi-tenant data, or upstream-controlled fields. Proxy-heavy deployments and systems that reuse shared upstream connections should pay extra attention because request splitting risks are most relevant there.
Technical summary
According to the supplied advisory and NVD record, cow_cookie:cookie/1 formats a Cookie: request header from name-value pairs without validating either field. That omission allows reserved characters such as ;, ,, CR, LF, or TAB to be injected into the header serialization. The practical outcomes are cookie smuggling within a single Cookie header and HTTP request/header splitting via CRLF injection. The issue affects cowlib from 2.9.0 through 2.16.1. The decoder-side helpers and setcookie/3 already reject these characters, so the weakness is isolated to the encoder path.
Defensive priority
Prioritize promptly if your code can feed untrusted data into cowlib cookie serialization; otherwise treat as a routine dependency update. The CVSS score is low, but the impact can rise in proxy or shared-upstream environments where header splitting matters.
Recommended defensive actions
- Upgrade cowlib to a version that includes the upstream fix referenced by the official patch commit.
- Audit all uses of cow_cookie:cookie/1 and confirm cookie names and values are never sourced from untrusted input without validation.
- If immediate upgrade is not possible, reject or sanitize ; , CR, LF, and TAB at the application boundary before calling the encoder.
- Review downstream proxy and gateway behavior to ensure malformed Cookie headers cannot be used to split requests or inject headers.
- Use the vendor advisory and NVD version range to verify whether any deployed build falls within cowlib 2.9.0 to 2.16.1.
Evidence notes
The supplied NVD record marks the CVE as analyzed, assigns CWE-93, and lists affected versions from 2.9.0 through 2.16.1. The official vendor advisory and patch commit are the primary evidence sources, and the OSV entry is a third-party corroborating reference. The CVE’s publishedAt date is 2026-05-11 and modifiedAt is 2026-05-21; those dates are used here for disclosure context only.
Official resources
-
CVE-2026-43969 CVE record
CVE.org
-
CVE-2026-43969 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Vendor Advisory
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Patch
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Third Party Advisory
Publicly disclosed on 2026-05-11 and updated on 2026-05-21. Not listed in CISA KEV in the supplied enrichment data.