The vulnerability in cowlib 2.6.0 involves improper neutralization of CRLF sequences in the SSE event handling function cow_sse:event/1. While the id and event fields are protected against newline characters (\n), they are not protected against carriage return characters (\r). Additionally, the internal prefix_lines/2 function used for data and comment fields splits only on \n. Since the SSE specification treats \r\n, \r, and \n as equivalent line terminators, an attacker controlling these fields can inject additional SSE lines, effectively forging complete events with arbitrary event types and data payloads. This can cause client-side event splitting and injection, potentially leading to stored-XSS-equivalent impacts in browsers or other SSE consumers that render event data.

An attacker who can control the id, event, data, or comment fields in SSE events can exploit this vulnerability to inject additional SSE lines. This allows event splitting and injection of arbitrary event types and data, which can manipulate client-side logic or cause stored-XSS-equivalent behavior when event data is rendered in the DOM by browsers or other SSE clients. The vulnerability has a CVSS 4.0 score of 6.3 (medium severity), indicating a moderate risk with network attack vector, low complexity, no privileges required, no user interaction, and limited impact on integrity and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary mitigation is currently documented. Users of cowlib 2.6.0 should monitor the vendor's communications for updates. Until a fix is available, avoid using untrusted input in SSE event fields or implement additional input validation and sanitization to neutralize carriage return characters (\r) in SSE event fields.