DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-49753: CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

Vulnerability ID: CVE-2026-49753
CVSS Score: 6.3
Published: 2026-07-09

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

TL;DR

Elixir Mint's parser accepted sign-prefixed Content-Length values (like '+100') due to using Integer.parse/1. Intermediaries strictly enforcing RFC 7230/9110 reject or reframe these headers, enabling HTTP response smuggling and connection poisoning.


Technical Details

  • CWE ID: CWE-444
  • Attack Vector: Network
  • CVSS v4.0: 6.3
  • EPSS Score: 0.00301
  • Impact: HTTP Request/Response Smuggling
  • Exploit Status: None
  • KEV Status: Not Listed

Affected Systems

  • elixir-mint/mint
  • mint: >= 0.1.0, < 1.9.0 (Fixed in: 1.9.0)

Code Analysis

Commit: 47e4802

Strictly validate Content-Length header to contain only digits to mitigate HTTP request smuggling.

Commit: 65e0e86

Historical commit in ancestor library xhttp containing the vulnerable parsing pattern.

Mitigation Strategies

  • Update elixir-mint/mint to version 1.9.0 or later.
  • Deploy strict WAF rules to drop sign-prefixed Content-Length headers.
  • Avoid connection pooling across distinct security context boundaries when interacting with untrusted upstream hosts.

Remediation Steps:

  1. Identify projects using Mint by auditing mix.lock.
  2. Update mix.exs dependencies to require {:mint, '~> 1.9.0'}.
  3. Run mix deps.get to fetch the patched version.
  4. Validate HTTP header processing in downstream environments to ensure strict RFC compliance.

References


Read the full report for CVE-2026-49753 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)