GHSA-2pg6-44cx-c49v

Suggest an improvement
Source
https://github.com/advisories/GHSA-2pg6-44cx-c49v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-2pg6-44cx-c49v/GHSA-2pg6-44cx-c49v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2pg6-44cx-c49v
Aliases
Published
2026-07-09T23:19:12Z
Modified
2026-07-09T23:30:10.333707326Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
mint has potential CRLF injection in its HTTP request line via unvalidated `method`/`target`
Details

Summary

Mint's HTTP/1 request encoder splices the caller-supplied method and target directly into the request line without character validation. An application that forwards attacker-controlled input as the HTTP method or the target to Mint.HTTP.request/5 is exposed to request-line CRLF injection, allowing the attacker to terminate the request line early, inject arbitrary headers, and pipeline a fully attacker-chosen second request onto the same TCP connection.

Details

encode_request_line/2 in lib/mint/http1/request.ex writes method and target to the wire verbatim. encode_headers/1 validates header names and values, but there is no equivalent validate_method!/1.

Mint 1.7.0 added validate_request_target/2, which rejects CRLF and other control characters in target by default and closes the path/query vector. The method field remains unvalidated, so a CRLF-bearing method such as "GET / HTTP/1.1\r\nX-Smuggled: 1\r\nGET /admin" is accepted and written to the socket as-is. Bytes after the first \r\n are interpreted by the peer as an injected header, or, with a second \r\n, as an additional pipelined request.

PoC

  1. Stand up a Mint-using gateway/proxy that calls Mint.HTTP.request(conn, method, "/", [], nil) with method taken from caller input.
  2. Send a request whose forwarded method is "GET / HTTP/1.1\r\nX-Smuggled-Header: pwned\r\nGET /admin/delete-everything".
  3. Observe the bytes received by the upstream server: the smuggled header line and the second request line appear verbatim in the outbound stream.

Impact

CRLF injection / HTTP request smuggling in the HTTP/1 client encoder, exploitable under default configuration whenever an application passes caller-influenced input as the HTTP method. An attacker who controls the method can inject arbitrary outbound headers (forged Host, Authorization, cache-poisoning headers) and smuggle additional, fully attacker-chosen requests to the upstream server over the same connection, potentially reaching endpoints the legitimate caller never intended to invoke.

Resources

  • Introduction commit: https://github.com/elixir-mint/mint/commit/8db1acff30b6a9433762c18b1e1f891b8c1f74f7
  • Patch commit: https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a
Database specific
{
    "github_reviewed": true,
    "nvd_published_at": "2026-06-02T16:16:44Z",
    "cwe_ids": [
        "CWE-93"
    ],
    "severity": "LOW",
    "github_reviewed_at": "2026-07-09T23:19:12Z"
}
References

Affected packages

Hex / mint

Package

Name
mint
Purl
pkg:hex/mint

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0

Affected versions

0.*
0.1.0
0.2.0
0.2.1
0.3.0
0.4.0
0.5.0
1.*
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.8.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-2pg6-44cx-c49v/GHSA-2pg6-44cx-c49v.json"