CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client
Vulnerability ID: CVE-2026-48596
CVSS Score: 2.1
Published: 2026-07-10
CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.
TL;DR
An HTTP request/response splitting vulnerability in elixir-tesla allowed unauthenticated remote attackers to inject arbitrary headers or perform HTTP request smuggling by supplying CRLF characters to the Tesla.Multipart.add_content_type_param/2 function.
โ ๏ธ Exploit Status: POC
Technical Details
- CWE ID: CWE-113 (Improper Neutralization of CRLF Sequences)
- Attack Vector: Local/Remote via application integration pattern
- CVSS v4.0 Score: 2.1 (Low)
- EPSS Score: 0.0017 (Percentile: 6.66%)
- Impact: HTTP Request Splitting and Header Injection
- Exploit Status: poc
- KEV Status: Not Listed
Affected Systems
- Elixir applications utilizing the elixir-tesla HTTP client library with user-provided parameters forwarded directly to the multipart boundary or charset configuration APIs.
-
tesla: from 0.8.0 before 1.18.3 (Fixed in:
1.18.3)
Code Analysis
Commit: 23601ed
Strictly validate content-type parameters according to RFC 7231 ยง3.1.1.1, preventing carriage return, line feed, and semicolon characters from being accepted.
Mitigation Strategies
- Upgrade to version 1.18.3 or higher of the tesla hex package.
- Sanitize user-provided values passed to add_content_type_param/2 by explicitly stripping or rejecting carriage returns, line feeds, and semicolons.
- Implement static analysis checks to detect unvalidated parameters passing from entry-points into Tesla Multipart constructs.
Remediation Steps:
- Open your application's
mix.exsconfiguration file. - Locate the
tesladependency declaration in thedeps/0list. - Update the version constraint to
{:tesla, "~> 1.18.3"}. - Run
mix deps.update teslato download and lock the secured package version. - Run
mix testto confirm that standard multipart behavior remains functional.
References
- GitHub Security Advisory GHSA-q7jx-v53g-848w
- Fix Commit
- Erlang Ecosystem Foundation Advisory details
- OSV Database Record
- NVD Vulnerability Record
- CVE Record
Read the full report for CVE-2026-48596 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)