ninenines cowlib HTTP Response Splitting Vulnerability

A vulnerability allowing HTTP response splitting has been identified in ninenines cowlib version 2.9.0 and later. This issue arises from improper handling of non-visible characters in structured-fields string values, which can be exploited to inject carriage return and line feed sequences into HTTP headers. The cow_http_struct_hd:escape_string/2 function fails to adequately escape these bytes, creating a mismatch between the encoding and parsing of header values. As a result, applications that use cow_http_struct_hd:item/1 to build structured HTTP headers from untrusted input may inadvertently introduce CRLF injection, facilitating HTTP response splitting attacks.

Impact

Exploitation of this vulnerability leads to HTTP response splitting, allowing attackers to manipulate the structure of HTTP responses sent to clients.

Reproduction

To reproduce this vulnerability, send a request that includes structured-fields header values derived from untrusted input. The cow_http_struct_hd:escape_string/2 function will process the input, failing to escape non-visible characters properly. When the header is transmitted, the injected CRLF will split the response, demonstrating the vulnerability.

Remediation

Applications can validate and sanitize input before using it in structured-fields headers. For those using cowboy 2.16.0 or later, the invalid_response_headers option can be enabled to reject headers with CR or LF before they are sent. Additionally, gun 2.4.0 or later includes an invalid_request_headers option to raise exceptions for outgoing headers containing CR or LF.