Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)
Vulnerability Description
ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)
Vulnerability Title
ewe 注入漏洞
Vulnerability Description
ewe是Vladislav Shakitskiy个人开发者的一个轻量级Web服务器构建包。 ewe 3.0.6之前版本存在注入漏洞,该漏洞源于encode_headers函数未验证或剥离CRLF序列,可能导致响应拆分、缓存投毒和跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A