DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48596: CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

Vulnerability ID: CVE-2026-48596
CVSS Score: 2.1
Published: 2026-07-10

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

TL;DR

An HTTP request/response splitting vulnerability in elixir-tesla allowed unauthenticated remote attackers to inject arbitrary headers or perform HTTP request smuggling by supplying CRLF characters to the Tesla.Multipart.add_content_type_param/2 function.


โš ๏ธ Exploit Status: POC

Technical Details

  • CWE ID: CWE-113 (Improper Neutralization of CRLF Sequences)
  • Attack Vector: Local/Remote via application integration pattern
  • CVSS v4.0 Score: 2.1 (Low)
  • EPSS Score: 0.0017 (Percentile: 6.66%)
  • Impact: HTTP Request Splitting and Header Injection
  • Exploit Status: poc
  • KEV Status: Not Listed

Affected Systems

  • Elixir applications utilizing the elixir-tesla HTTP client library with user-provided parameters forwarded directly to the multipart boundary or charset configuration APIs.
  • tesla: from 0.8.0 before 1.18.3 (Fixed in: 1.18.3)

Code Analysis

Commit: 23601ed

Strictly validate content-type parameters according to RFC 7231 ยง3.1.1.1, preventing carriage return, line feed, and semicolon characters from being accepted.

Mitigation Strategies

  • Upgrade to version 1.18.3 or higher of the tesla hex package.
  • Sanitize user-provided values passed to add_content_type_param/2 by explicitly stripping or rejecting carriage returns, line feeds, and semicolons.
  • Implement static analysis checks to detect unvalidated parameters passing from entry-points into Tesla Multipart constructs.

Remediation Steps:

  1. Open your application's mix.exs configuration file.
  2. Locate the tesla dependency declaration in the deps/0 list.
  3. Update the version constraint to {:tesla, "~> 1.18.3"}.
  4. Run mix deps.update tesla to download and lock the secured package version.
  5. Run mix test to confirm that standard multipart behavior remains functional.

References


Read the full report for CVE-2026-48596 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)