CVE-2026-48598: Multipart Part Header Injection and Request Smuggling in elixir-tesla
Vulnerability ID: CVE-2026-48598
CVSS Score: 2.1
Published: 2026-07-10
An Improper Encoding or Escaping of Output vulnerability (CWE-116) in elixir-tesla allowed unauthenticated remote code execution or request smuggling via unescaped Content-Disposition parameters in multipart form-data requests.
TL;DR
Unescaped carriage returns, line feeds, and double-quotes in elixir-tesla's multipart module allow multipart header injection and request smuggling.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-116
- Attack Vector: Local
- CVSS v4.0 Score: 2.1 (Low)
- EPSS Score: 0.00143
- Impact: Low Subsequent System Integrity
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- elixir-tesla
-
tesla: >= 0.8.0, < 1.18.3 (Fixed in:
1.18.3)
Code Analysis
Commit: bb1a2c3
Remediation patch introducing assert_disposition_value! function
--- a/lib/tesla/multipart.ex\n+++ b/lib/tesla/multipart.ex
Commit: 23601ed
Strict RFC 7230 token whitelisting using binary pattern matches
--- a/lib/tesla/multipart.ex\n+++ b/lib/tesla/multipart.ex
Exploit Details
- GitHub Security Advisory: Detailed discussion and description of the vulnerability.
Mitigation Strategies
- Upgrade the elixir-tesla dependency to version 1.18.3 or newer
- Filter user-controlled input values to remove carriage returns, line feeds, and double-quote characters before parsing
- Wrap dynamic multipart compilation steps in exception-handling blocks to prevent application crashes
Remediation Steps:
- Open your mix.exs configuration file
- Locate the {:tesla, "..."} dependency line and update the version requirement to >= 1.18.3
- Execute mix deps.get to fetch the patched version of the package
- Run your test suite to verify no uncaught ArgumentError exceptions occur during multipart serialization
References
- CVE-2026-48598 on CVE.org
- GHSA-28jh-g32x-v9v4 Advisory on GitHub
- Erlang Ecosystem Foundation CNA Advisory
- OSV Registry Record for CVE-2026-48598
Read the full report for CVE-2026-48598 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)