CVE-2026-34715: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in vshakitskiy ewe
ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.
AI Analysis
Technical Summary
The vulnerability in 'ewe' versions before 3.0.6 involves improper neutralization of CRLF sequences in HTTP response headers. While incoming request headers are validated for CRLF sequences, the encode_headers function fails to apply similar validation to outgoing response headers. This flaw enables attackers to inject CRLF sequences into response headers, facilitating HTTP response splitting attacks. Such attacks can result in cache poisoning and cross-site scripting. The issue is tracked as CWE-113 and has a CVSS 3.1 base score of 5.3, indicating medium severity. The vulnerability was patched in version 3.0.6.
Potential Impact
An attacker able to influence HTTP response headers can exploit this vulnerability to inject arbitrary HTTP response content. This can lead to HTTP response splitting, which may cause cache poisoning and enable cross-site scripting attacks. There is no indication of confidentiality or availability impact. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade the 'ewe' web server to version 3.0.6 or later, where this vulnerability has been patched. The patch ensures proper validation and stripping of CRLF sequences in response headers. No additional mitigation is required if the upgrade is applied.
CVE-2026-34715: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in vshakitskiy ewe
Description
ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in 'ewe' versions before 3.0.6 involves improper neutralization of CRLF sequences in HTTP response headers. While incoming request headers are validated for CRLF sequences, the encode_headers function fails to apply similar validation to outgoing response headers. This flaw enables attackers to inject CRLF sequences into response headers, facilitating HTTP response splitting attacks. Such attacks can result in cache poisoning and cross-site scripting. The issue is tracked as CWE-113 and has a CVSS 3.1 base score of 5.3, indicating medium severity. The vulnerability was patched in version 3.0.6.
Potential Impact
An attacker able to influence HTTP response headers can exploit this vulnerability to inject arbitrary HTTP response content. This can lead to HTTP response splitting, which may cause cache poisoning and enable cross-site scripting attacks. There is no indication of confidentiality or availability impact. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade the 'ewe' web server to version 3.0.6 or later, where this vulnerability has been patched. The patch ensures proper validation and stripping of CRLF sequences in response headers. No additional mitigation is required if the upgrade is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T18:41:20.752Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ceb0a7e6bfc5ba1df381ea
Added to database: 4/2/2026, 6:08:39 PM
Last enriched: 4/9/2026, 10:45:33 PM
Last updated: 5/20/2026, 9:37:55 PM
Views: 82
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.