EEF-CVE-2026-48861
- Source
- https://cna.erlef.org/osv/EEF-CVE-2026-48861.html
- Import Source
- https://cna.erlef.org/osv/EEF-CVE-2026-48861.json
- JSON Data
- https://api.osv.dev/v1/vulns/EEF-CVE-2026-48861
- Aliases
-
- CVE-2026-48861
- GHSA-2pg6-44cx-c49v
- Published
- 2026-06-02T14:15:09.015Z
- Modified
- 2026-06-02T19:14:00.466Z
- Severity
-
- 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
- Summary
- CRLF injection in HTTP/1 request line via unvalidated method in Mint
- Details
-
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling.
In lib/mint/http1/request.ex, the encoderequestline/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\s, target, " HTTP/1.1\r\n"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection.
Mint 1.7.0 introduced validaterequesttarget/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skiptargetvalidation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions.
This issue affects mint: from 0.1.0 before 1.9.0.
- Database specific
{ "cpe_ids": [ "cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*" ], "cwe_ids": [ "CWE-93" ], "capec_ids": [ "CAPEC-33", "CAPEC-105" ] }- References
- Credits
-
-
- Peter Ullrich - FINDER
-
- Eric Meadows-Jönsson - REMEDIATION_DEVELOPER
-
- Jonatan Männchen / EEF - ANALYST
-
Affected packages
Hex / mint
Package
- Name
- mint
- Purl
- pkg:hex/mint