DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48598: CVE-2026-48598: Multipart Part Header Injection and Request Smuggling in elixir-tesla

CVE-2026-48598: Multipart Part Header Injection and Request Smuggling in elixir-tesla

Vulnerability ID: CVE-2026-48598
CVSS Score: 2.1
Published: 2026-07-10

An Improper Encoding or Escaping of Output vulnerability (CWE-116) in elixir-tesla allowed unauthenticated remote code execution or request smuggling via unescaped Content-Disposition parameters in multipart form-data requests.

TL;DR

Unescaped carriage returns, line feeds, and double-quotes in elixir-tesla's multipart module allow multipart header injection and request smuggling.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-116
  • Attack Vector: Local
  • CVSS v4.0 Score: 2.1 (Low)
  • EPSS Score: 0.00143
  • Impact: Low Subsequent System Integrity
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • elixir-tesla
  • tesla: >= 0.8.0, < 1.18.3 (Fixed in: 1.18.3)

Code Analysis

Commit: bb1a2c3

Remediation patch introducing assert_disposition_value! function

--- a/lib/tesla/multipart.ex\n+++ b/lib/tesla/multipart.ex
Enter fullscreen mode Exit fullscreen mode

Commit: 23601ed

Strict RFC 7230 token whitelisting using binary pattern matches

--- a/lib/tesla/multipart.ex\n+++ b/lib/tesla/multipart.ex
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade the elixir-tesla dependency to version 1.18.3 or newer
  • Filter user-controlled input values to remove carriage returns, line feeds, and double-quote characters before parsing
  • Wrap dynamic multipart compilation steps in exception-handling blocks to prevent application crashes

Remediation Steps:

  1. Open your mix.exs configuration file
  2. Locate the {:tesla, "..."} dependency line and update the version requirement to >= 1.18.3
  3. Execute mix deps.get to fetch the patched version of the package
  4. Run your test suite to verify no uncaught ArgumentError exceptions occur during multipart serialization

References


Read the full report for CVE-2026-48598 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)