ninenines cowlib CRLF Injection Vulnerability in SSE Event Handling

A CRLF injection vulnerability has been identified in ninenines cowlib version 2.6.0 and later. This issue arises from improper validation of field values in the SSE event handling function cow_sse:event/1. While the function correctly guards against newline characters in the id and event fields, it fails to validate carriage return characters. Additionally, the internal prefix_lines/2 function, which processes data and comment fields, only splits on newlines. As a result, an attacker can exploit this oversight by injecting additional SSE lines, effectively splitting events and manipulating client-side logic. This behavior is akin to stored cross-site scripting when the injected event data is rendered in the DOM.

Impact

Exploitation of this vulnerability allows for event splitting and injection, manipulation of client-side logic, and behavior equivalent to stored cross-site scripting when the injected data is inserted into the DOM.

Reproduction

To reproduce this vulnerability, pass user-controlled data containing carriage return characters into the id, event, data, or comment fields of the cow_sse:event/1 function. Alternatively, use a higher-level wrapper such as cowboy_req:stream_events/3 that accepts unvalidated user input. The vulnerability can be verified by observing the injected data being processed as a separate SSE event on the client side.

Remediation

Sanitize user-controlled values before sending them to cow_sse:event/1. Remove or reject any values that include carriage return or newline characters in the id, event, data, and comment fields. Ensure that all SSE field values come from trusted, application-controlled sources rather than user input.