CVE-2026-34715

Published: Apr 02, 2026 Last Modified: Apr 02, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none

Description

AI Translation Available

ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.

113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Incomplete
Abstraction: Variant Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Access Control
Potential Impacts:
Modify Application Data Gain Privileges Or Assume Identity
Applicable Platforms
Technologies: Web Based, Web Server
View CWE Details
https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10…
https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17…
https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6
https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6
https://github.com/vshakitskiy/ewe/security/advisories/GHSA…
https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf