The vulnerability in ninenines cowlib 2.9.0 involves improper neutralization of CRLF sequences in HTTP headers, specifically in the cow_http_struct_hd:escape_string/2 function. This function escapes only backslash and double quote characters but allows other bytes, including carriage return (CR) and line feed (LF), to pass through unescaped. The parser on the receiving end accepts only printable ASCII characters excluding backslash and double quote, creating an asymmetry that enables injection of CRLF sequences into HTTP header values. When attacker-controlled input is used to build structured HTTP headers via cow_http_struct_hd:item/1 or cow_http_hd:wt_protocol/1, this can lead to HTTP response splitting, where injected CRLF sequences terminate the current header and cause subsequent data to be interpreted as new headers.

Successful exploitation of this vulnerability can allow an attacker to perform HTTP response splitting attacks, which may lead to web cache poisoning, cross-site scripting (XSS), or other HTTP header injection attacks depending on the application context. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on confidentiality, integrity, and availability.

No official patch or remediation guidance is currently available from the vendor. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, users should avoid using attacker-controlled input in structured HTTP headers via cow_http_struct_hd:item/1 or related functions or implement additional input validation and sanitization to prevent CRLF injection.