Description

ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.

INFO

Published Date :

2026-04-02T17:57:00.501Z

Last Modified :

2026-04-02T17:57:00.501Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34715 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34715.

URL Resource
https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446 cve-icon cve-icon
https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6 cve-icon cve-icon
https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact