CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client
Vulnerability ID: CVE-2026-49753
CVSS Score: 6.3
Published: 2026-07-09
An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.
TL;DR
Elixir Mint's parser accepted sign-prefixed Content-Length values (like '+100') due to using Integer.parse/1. Intermediaries strictly enforcing RFC 7230/9110 reject or reframe these headers, enabling HTTP response smuggling and connection poisoning.
Technical Details
- CWE ID: CWE-444
- Attack Vector: Network
- CVSS v4.0: 6.3
- EPSS Score: 0.00301
- Impact: HTTP Request/Response Smuggling
- Exploit Status: None
- KEV Status: Not Listed
Affected Systems
- elixir-mint/mint
-
mint: >= 0.1.0, < 1.9.0 (Fixed in:
1.9.0)
Code Analysis
Commit: 47e4802
Strictly validate Content-Length header to contain only digits to mitigate HTTP request smuggling.
Commit: 65e0e86
Historical commit in ancestor library xhttp containing the vulnerable parsing pattern.
Mitigation Strategies
- Update elixir-mint/mint to version 1.9.0 or later.
- Deploy strict WAF rules to drop sign-prefixed Content-Length headers.
- Avoid connection pooling across distinct security context boundaries when interacting with untrusted upstream hosts.
Remediation Steps:
- Identify projects using Mint by auditing mix.lock.
- Update mix.exs dependencies to require {:mint, '~> 1.9.0'}.
- Run mix deps.get to fetch the patched version.
- Validate HTTP header processing in downstream environments to ensure strict RFC compliance.
References
Read the full report for CVE-2026-49753 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)