EEF-CVE-2026-48598

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-48598.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-48598.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-48598

Aliases

CVE-2026-48598
GHSA-28jh-g32x-v9v4

Published

2026-06-02T19:08:19.921Z

Modified

2026-06-02T19:41:25.476597739Z

Severity

2.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N CVSS Calculator

Summary

CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection

Details

Summary

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.

Tesla.Multipart.partheadersfordisposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.addfield/4 (the name parameter), Tesla.Multipart.addfile/3, and Tesla.Multipart.addfilecontent/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in addfile/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.

This issue affects tesla: from 0.8.0 before 1.18.3.

Workaround

Validate disposition parameter values before passing them to Tesla.Multipart.addfield/4, Tesla.Multipart.addfile/3, or Tesla.Multipart.addfilecontent/4, rejecting any value that contains \r, \n, or ".

Configuration

The application must pass untrusted input into a disposition parameter of Tesla.Multipart.addfield/4, Tesla.Multipart.addfile/3, or Tesla.Multipart.addfilecontent/4.

Database specific

{
    "cwe_ids": [
        "CWE-116"
    ],
    "cpe_ids": [
        "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-105"
    ]
}

References

Credits

- Peter Ullrich - FINDER
- Yordis Prieto - REMEDIATION_DEVELOPER
- Jonatan Männchen - ANALYST

Affected packages

Hex / tesla

Package

Name: tesla
Purl: pkg:hex/tesla

Affected ranges

Type: SEMVER
Events: Introduced

0.8.0

Fixed

1.18.3

Affected versions

0.*

0.8.0

0.9.0

0.10.0

1.*

1.0.0-beta.1

1.0.0

1.1.0

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.5.0

1.5.1

1.6.0

1.6.1

1.7.0

1.8.0

1.8.1

1.9.0

1.10.0

1.10.1

1.10.2

1.10.3

1.11.0

1.11.1

1.11.2

1.12.0

1.12.1

1.12.2

1.12.3

1.13.0

1.13.1

1.13.2

1.14.0

1.14.1

1.14.2

1.14.3

1.15.0

1.15.1

1.15.2

1.15.3

1.16.0

1.17.0

1.18.0

1.18.1

1.18.2

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-48598.json"

Git / github.com/elixir-tesla/tesla.git

Affected ranges

Type: GIT
Repo: https://github.com/elixir-tesla/tesla.git
Events: Introduced

6ebfdb9abe9c6f119408045b933d82462decd351

Fixed

bb1a2c3da2775924d96e3db8e315dcc4d5d2246e

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-48598.json"