<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: CVE Reports</title>
    <description>The latest articles on DEV Community by CVE Reports (@cverports).</description>
    <link>https://dev.to/cverports</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1959489%2F6e9f36b9-96a5-441a-a9b5-6993444f71d8.png</url>
      <title>DEV Community: CVE Reports</title>
      <link>https://dev.to/cverports</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/cverports"/>
    <language>en</language>
    <item>
      <title>CVE-2026-49866: CVE-2026-49866: CPU-Based Denial of Service in @libp2p/gossipsub Protobuf Parser</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 16:40:59 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-49866-cve-2026-49866-cpu-based-denial-of-service-in-libp2pgossipsub-protobuf-parser-5398</link>
      <guid>https://dev.to/cverports/cve-2026-49866-cve-2026-49866-cpu-based-denial-of-service-in-libp2pgossipsub-protobuf-parser-5398</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-49866: CPU-Based Denial of Service in @libp2p/gossipsub Protobuf Parser
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-49866&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 7.5&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-10&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;A high-severity denial-of-service vulnerability in @libp2p/gossipsub prior to version 16.0.0 allows unauthenticated remote attackers to trigger event loop starvation and complete node freeze by exploiting unbounded protobuf decoding limits and nested synchronous array iteration loops.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;Unbounded protobuf limits and synchronous array loops in @libp2p/gossipsub allow unauthenticated remote attackers to block the single-threaded Node.js event loop, causing a complete denial of service.&lt;/p&gt;




&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-770&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Network (AV:N)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS Score&lt;/strong&gt;: 7.5&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.00446&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: poc&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;KEV Status&lt;/strong&gt;: not-listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;@libp2p/gossipsub prior to 16.0.0&lt;/li&gt;
&lt;li&gt;js-libp2p installations using vulnerable @libp2p/gossipsub modules&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade dependency @libp2p/gossipsub to version 16.0.0 or above&lt;/li&gt;
&lt;li&gt;Configure explicit decodeRpcLimits in GossipSub initialization option block&lt;/li&gt;
&lt;li&gt;Implement event loop lag monitoring in the application infrastructure&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Identify vulnerable @libp2p/gossipsub references in package.json or package-lock.json&lt;/li&gt;
&lt;li&gt;Execute the upgrade to version 16.0.0 or higher&lt;/li&gt;
&lt;li&gt;Alternatively, modify instantiation properties to override default limits manually&lt;/li&gt;
&lt;li&gt;Deploy telemetry to capture event loop blocking spikes&lt;/li&gt;
&lt;/ol&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-49866" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-49866 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-49858: CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 15:41:01 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-49858-cve-2026-49858-cross-user-attribute-and-relation-leak-in-api-platform-core-48ka</link>
      <guid>https://dev.to/cverports/cve-2026-49858-cve-2026-49858-cross-user-attribute-and-relation-leak-in-api-platform-core-48ka</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-49858&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 5.9&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-10&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;Unsafe in-memory caching in API Platform Core's JSON:API and HAL normalizers leaks sensitive properties across different user contexts when running under persistent PHP environments like FrankenPHP or RoadRunner.&lt;/p&gt;




&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-524&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Network (AV:N)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS v3.1&lt;/strong&gt;: 5.9 (Medium)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.00197&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Impact&lt;/strong&gt;: High Confidentiality Exposure&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: None (No public exploit or PoC)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;KEV Status&lt;/strong&gt;: Not Listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;API Platform Core&lt;/li&gt;
&lt;li&gt;api-platform/core&lt;/li&gt;
&lt;li&gt;api-platform/hal&lt;/li&gt;
&lt;li&gt;api-platform/json-api&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;api-platform/core&lt;/strong&gt;: &amp;gt;= 4.1.0, &amp;lt; 4.1.29 (Fixed in: &lt;code&gt;4.1.29&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;api-platform/core&lt;/strong&gt;: &amp;gt;= 4.2.0, &amp;lt; 4.2.26 (Fixed in: &lt;code&gt;4.2.26&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;api-platform/core&lt;/strong&gt;: &amp;gt;= 4.3.0, &amp;lt; 4.3.12 (Fixed in: &lt;code&gt;4.3.12&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/api-platform/core/commit/019fd901225a969b1903e093a1773f26ee551dfc" rel="noopener noreferrer"&gt;019fd90&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;fix(serializer): gate cache_key in JsonApi and Hal with isCacheKeySafe&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight diff"&gt;&lt;code&gt;&lt;span class="gh"&gt;diff --git a/src/JsonApi/Serializer/ItemNormalizer.php b/src/JsonApi/Serializer/ItemNormalizer.php
index a093a17..dfc4a17 100644
&lt;/span&gt;&lt;span class="gd"&gt;--- a/src/JsonApi/Serializer/ItemNormalizer.php
&lt;/span&gt;&lt;span class="gi"&gt;+++ b/src/JsonApi/Serializer/ItemNormalizer.php
&lt;/span&gt;&lt;span class="p"&gt;@@ -34,3 +34,3 @@&lt;/span&gt;
         if (!isset($context['cache_key'])) {
&lt;span class="gd"&gt;-            $context['cache_key'] = $this-&amp;gt;getCacheKey($format, $context);
&lt;/span&gt;&lt;span class="gi"&gt;+            $context['cache_key'] = $this-&amp;gt;isCacheKeySafe($context) ? $this-&amp;gt;getCacheKey($format, $context) : false;
&lt;/span&gt;         }
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/api-platform/core/commit/1bfd6eecd27dbb791901eb092606c3ec4a0963d3" rel="noopener noreferrer"&gt;1bfd6ee&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;refactor(serializer): bump static analysis rules and optimize cache security key evaluation&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight diff"&gt;&lt;code&gt;&lt;span class="gh"&gt;diff --git a/src/Serializer/AbstractItemNormalizer.php b/src/Serializer/AbstractItemNormalizer.php
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade the API Platform Core package to version 4.1.29, 4.2.26, 4.3.12 or higher.&lt;/li&gt;
&lt;li&gt;Temporarily disable persistent application workers (FrankenPHP worker mode, Swoole, RoadRunner) and fallback to stateless PHP-FPM runtime environments.&lt;/li&gt;
&lt;li&gt;Decorate the SerializerContextBuilder to explicitly nullify the cache_key parameter during serialization of HAL and JSON:API formats.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Run 'composer update api-platform/core' to pull the latest security patch.&lt;/li&gt;
&lt;li&gt;Verify the installed version of API Platform Core using 'composer show api-platform/core'.&lt;/li&gt;
&lt;li&gt;Restart long-running persistent PHP worker processes to purge any compromised cache states from memory.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23" rel="noopener noreferrer"&gt;GHSA-pjhx-3c3w-9v23 Security Advisory&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.cve.org/CVERecord?id=CVE-2026-49858" rel="noopener noreferrer"&gt;CVE-2026-49858 authoritative CVE Record&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2026-49858" rel="noopener noreferrer"&gt;NVD - CVE-2026-49858 Detailed Report&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/api-platform/core/commit/019fd901225a969b1903e093a1773f26ee551dfc" rel="noopener noreferrer"&gt;Fix Git Commit for ItemNormalizers Cache Key Gating&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-49858" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-49858 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-5078: CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 15:11:32 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-5078-cve-2026-5078-log-forging-and-injection-via-remote-user-token-in-morgan-logging-25df</link>
      <guid>https://dev.to/cverports/cve-2026-5078-cve-2026-5078-log-forging-and-injection-via-remote-user-token-in-morgan-logging-25df</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-5078&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 5.3&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-10&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;CVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;Unauthenticated remote log injection in Morgan middleware (versions 1.2.0-1.10.1) due to improper sanitization of basic authentication credentials. Upgrading to version 1.11.0 remediates the vulnerability.&lt;/p&gt;




&lt;h3&gt;
  
  
  ⚠️ Exploit Status: POC
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-117 (Improper Output Neutralization for Logs)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Network (Remote, Unauthenticated)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS v3.1 Score&lt;/strong&gt;: 5.3 (Medium)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.00246&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: Proof-of-Concept&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CISA KEV Status&lt;/strong&gt;: Not Listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Node.js applications using Morgan middleware versions 1.2.0 through 1.10.1 configured with log formats that include the :remote-user token.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;morgan&lt;/strong&gt;: &amp;gt;= 1.2.0, &amp;lt;= 1.10.1 (Fixed in: &lt;code&gt;1.11.0&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/expressjs/morgan/commit/b3f5d9bdb388690dfae9c06ab966328f49b7982b" rel="noopener noreferrer"&gt;b3f5d9b&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Introduces escapeLogField private utility to escape control characters and backslashes for line-oriented logs, and wraps remote-user token outputs.&lt;/p&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/expressjs/morgan/commit/e0e6f17574db56396f8e60ebb03bb7aaaeb9cc6f" rel="noopener noreferrer"&gt;e0e6f17&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Release commit for version 1.11.0, including unit test updates to prevent log injection regressions.&lt;/p&gt;

&lt;h2&gt;
  
  
  Exploit Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m" rel="noopener noreferrer"&gt;GitHub Security Advisory&lt;/a&gt;: Proof of concept showcasing unit tests and raw payloads to trigger unescaped carriage returns and log parsing issues.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade the Morgan middleware to version 1.11.0 or later to ensure automatic escaping of control characters.&lt;/li&gt;
&lt;li&gt;Modify custom Morgan logging configurations to exclude the :remote-user token if immediate patching is not possible.&lt;/li&gt;
&lt;li&gt;Deploy Web Application Firewall (WAF) rules to inspect and decode the Authorization: Basic header, blocking requests containing raw CRLF characters.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Identify all Node.js projects utilizing the morgan npm package.&lt;/li&gt;
&lt;li&gt;Verify the installed version of morgan using 'npm list morgan' or checking package-lock.json.&lt;/li&gt;
&lt;li&gt;Update the dependency to version 1.11.0 or higher by running 'npm install &lt;a href="mailto:morgan@1.11.0"&gt;morgan@1.11.0&lt;/a&gt;' or 'npm update morgan'.&lt;/li&gt;
&lt;li&gt;If unable to update, replace pre-built 'combined' or 'common' log formats with custom strings excluding the ':remote-user' token.&lt;/li&gt;
&lt;li&gt;Deploy and test log-monitoring queries to detect escaped sequence signatures 'u0000', 'u001f', or '\r\n' in system logs.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m" rel="noopener noreferrer"&gt;GitHub Security Advisory GHSA-4vj7-5mj6-jm8m&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cna.openjsf.org/security-advisories.html" rel="noopener noreferrer"&gt;OpenJS Foundation Security Advisories&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2026-5078" rel="noopener noreferrer"&gt;NVD Vulnerability Details: CVE-2026-5078&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.cve.org/CVERecord?id=CVE-2026-5078" rel="noopener noreferrer"&gt;CVE Org Record: CVE-2026-5078&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-5078" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-5078 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-48861: CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 04:11:02 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-48861-cve-2026-48861-http-request-splitting-and-smuggling-via-method-parameter-crlf-3bah</link>
      <guid>https://dev.to/cverports/cve-2026-48861-cve-2026-48861-http-request-splitting-and-smuggling-via-method-parameter-crlf-3bah</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-48861&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 2.1&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-09&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;A CRLF injection vulnerability in Elixir Mint (CVE-2026-48861) allows attackers to perform HTTP Request Splitting and Smuggling by passing control characters in the unvalidated HTTP method parameter.&lt;/p&gt;




&lt;h3&gt;
  
  
  ⚠️ Exploit Status: POC
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-93 (Improper Neutralization of CRLF Sequences)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Network / Client-Side forwarding&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS Score&lt;/strong&gt;: 2.1 (Low Severity)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.00166 (0.17% probability)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Impact&lt;/strong&gt;: HTTP Request Splitting / HTTP Request Smuggling&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: Proof-of-Concept (PoC)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;KEV Status&lt;/strong&gt;: Not Listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Elixir Mint library versions 0.1.0 through 1.8.1&lt;/li&gt;
&lt;li&gt;Elixir applications utilizing dynamic, user-controlled HTTP methods with Mint&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;mint&lt;/strong&gt;: &amp;gt;= 0.1.0, &amp;lt; 1.9.0 (Fixed in: &lt;code&gt;1.9.0&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a" rel="noopener noreferrer"&gt;fad0914&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Introduce token validation for the HTTP method in the request line to prevent CRLF injection&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight diff"&gt;&lt;code&gt;&lt;span class="p"&gt;@@ -7,6 +7,7 @@&lt;/span&gt; def encode(method, target, headers, body) do
&lt;span class="gi"&gt;+   validate_method!(method)
+
&lt;/span&gt;    body = [
      encode_request_line(method, target),
      encode_headers(headers),
&lt;span class="p"&gt;@@ -34,6 +35,14 @@&lt;/span&gt; defp validate_method!(method) do
&lt;span class="gi"&gt;+    _ =
+      for &amp;lt;&amp;lt;char &amp;lt;- method&amp;gt;&amp;gt; do
+        unless is_tchar(char) do
+          throw({:mint, {:invalid_request_method, method}})
+        end
+      end
+
+    :ok
+  end
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Exploit Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v" rel="noopener noreferrer"&gt;GitHub Security Advisory&lt;/a&gt;: Advisory containing details and verification cases for the CRLF injection vulnerability&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade the Mint dependency to version 1.9.0 or higher to enforce token validation at the library level&lt;/li&gt;
&lt;li&gt;Implement strict, application-level whitelisting for all dynamic HTTP method inputs before they are passed to Mint&lt;/li&gt;
&lt;li&gt;Employ static application security testing (SAST) tools to audit dependencies and identify vulnerable packages&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Open the mix.exs configuration file in the affected Elixir project&lt;/li&gt;
&lt;li&gt;Locate the mint dependency entry and update the version requirement to {:mint, "~&amp;gt; 1.9"}&lt;/li&gt;
&lt;li&gt;Execute the mix deps.get command in the project directory to retrieve the updated package&lt;/li&gt;
&lt;li&gt;Run mix deps.compile mint to ensure the patched version compiles correctly in the local environment&lt;/li&gt;
&lt;li&gt;Deploy the updated application to production environments and monitor application logs for invalid request method exceptions&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2026-48861" rel="noopener noreferrer"&gt;CVE-2026-48861 National Vulnerability Database&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v" rel="noopener noreferrer"&gt;GitHub Security Advisory GHSA-2pg6-44cx-c49v&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a" rel="noopener noreferrer"&gt;Official Fix Commit&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cna.erlef.org/cves/CVE-2026-48861.html" rel="noopener noreferrer"&gt;Erlang Ecosystem Foundation Advisory&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://osv.dev/vulnerability/EEF-CVE-2026-48861" rel="noopener noreferrer"&gt;OSV Database Entry&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-48861" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-48861 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-49753: CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 03:40:59 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-49753-cve-2026-49753-http-requestresponse-smuggling-via-inconsistent-content-length-46fg</link>
      <guid>https://dev.to/cverports/cve-2026-49753-cve-2026-49753-http-requestresponse-smuggling-via-inconsistent-content-length-46fg</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-49753&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 6.3&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-09&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;Elixir Mint's parser accepted sign-prefixed Content-Length values (like '+100') due to using Integer.parse/1. Intermediaries strictly enforcing RFC 7230/9110 reject or reframe these headers, enabling HTTP response smuggling and connection poisoning.&lt;/p&gt;




&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-444&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Network&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS v4.0&lt;/strong&gt;: 6.3&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.00301&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Impact&lt;/strong&gt;: HTTP Request/Response Smuggling&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: None&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;KEV Status&lt;/strong&gt;: Not Listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;elixir-mint/mint&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;mint&lt;/strong&gt;: &amp;gt;= 0.1.0, &amp;lt; 1.9.0 (Fixed in: &lt;code&gt;1.9.0&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/elixir-mint/mint/commit/47e48027480228e4e32a0b4df39db497b4804921" rel="noopener noreferrer"&gt;47e4802&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Strictly validate Content-Length header to contain only digits to mitigate HTTP request smuggling.&lt;/p&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/elixir-mint/mint/commit/65e0e86d799a6d3b08e4372fccdd9747535e0dd6" rel="noopener noreferrer"&gt;65e0e86&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Historical commit in ancestor library xhttp containing the vulnerable parsing pattern.&lt;/p&gt;

&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Update elixir-mint/mint to version 1.9.0 or later.&lt;/li&gt;
&lt;li&gt;Deploy strict WAF rules to drop sign-prefixed Content-Length headers.&lt;/li&gt;
&lt;li&gt;Avoid connection pooling across distinct security context boundaries when interacting with untrusted upstream hosts.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Identify projects using Mint by auditing mix.lock.&lt;/li&gt;
&lt;li&gt;Update mix.exs dependencies to require {:mint, '~&amp;gt; 1.9.0'}.&lt;/li&gt;
&lt;li&gt;Run mix deps.get to fetch the patched version.&lt;/li&gt;
&lt;li&gt;Validate HTTP header processing in downstream environments to ensure strict RFC compliance.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-mint/mint/security/advisories/GHSA-mjqx-c6f6-7rc2" rel="noopener noreferrer"&gt;GHSA-mjqx-c6f6-7rc2 Security Advisory&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cna.erlef.org/cves/CVE-2026-49753.html" rel="noopener noreferrer"&gt;Erlang Ecosystem Foundation CVE Entry&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://osv.dev/vulnerability/EEF-CVE-2026-49753" rel="noopener noreferrer"&gt;OSV Database Entry&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-49753" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-49753 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-49754: CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 03:11:00 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-49754-cve-2026-49754-denial-of-service-via-unbounded-http2-continuation-frame-3pe4</link>
      <guid>https://dev.to/cverports/cve-2026-49754-cve-2026-49754-denial-of-service-via-unbounded-http2-continuation-frame-3pe4</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-49754&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 8.2&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-09&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;An unauthenticated, remote attacker can crash any Elixir application utilizing the Mint client library to establish HTTP/2 connections by hosting a malicious server that streams an infinite series of HTTP/2 CONTINUATION frames.&lt;/p&gt;




&lt;h3&gt;
  
  
  ⚠️ Exploit Status: POC
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-770&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Network&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS v4.0 Score&lt;/strong&gt;: 8.2 (High)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Maturity&lt;/strong&gt;: Proof-of-Concept (PoC)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.00384&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CISA KEV Status&lt;/strong&gt;: Not Listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Applications utilizing the Elixir Mint HTTP client library for outbound HTTP/2 connections.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;mint&lt;/strong&gt;: &amp;gt;= 0.1.0, &amp;lt; 1.9.0 (Fixed in: &lt;code&gt;1.9.0&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/elixir-mint/mint/commit/b662d127d3028b5426c88d4c9cc7fe430491a10b" rel="noopener noreferrer"&gt;b662d12&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Bound size of accumulated header blocks to protect against HTTP/2 CONTINUATION floods&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight diff"&gt;&lt;code&gt;&lt;span class="p"&gt;@@ -156,6 +156,12 @@&lt;/span&gt; defmodule Mint.HTTP2 do
   @default_max_frame_size 16_384
   @valid_max_frame_size_range @default_max_frame_size..16_777_215
&lt;span class="err"&gt;
&lt;/span&gt;&lt;span class="gi"&gt;+  # Default cap on the size of an inbound header block.
+  @default_max_header_list_size 256 * 1024
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Exploit Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8" rel="noopener noreferrer"&gt;GitHub Security Advisory&lt;/a&gt;: Official replication details verified by Mint maintainers via integrated project unit tests, showing OOM crashes after approximately 64,000 continuous frames.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade the Mint library dependency to version 1.9.0 or higher.&lt;/li&gt;
&lt;li&gt;Restrict connection protocols to HTTP/1.1 when connecting to external or untrusted endpoints to bypass the HTTP/2 continuation frame logic.&lt;/li&gt;
&lt;li&gt;Implement deep packet inspection or proxy limits on outbound HTTP/2 connections to enforce strict limits on continuous framing sequences.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Open the Elixir project configuration file &lt;code&gt;mix.exs&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Locate the &lt;code&gt;deps&lt;/code&gt; definition and update the &lt;code&gt;mint&lt;/code&gt; dependency requirement to version &lt;code&gt;~&amp;gt; 1.9&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Run &lt;code&gt;mix deps.get&lt;/code&gt; in your development terminal to download and integrate the updated version.&lt;/li&gt;
&lt;li&gt;Deploy the updated application build to production environments.&lt;/li&gt;
&lt;li&gt;For temporary emergency mitigations, modify connection calls in the application code to use the configuration option &lt;code&gt;protocols: [:http1]&lt;/code&gt;.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8" rel="noopener noreferrer"&gt;GitHub Advisory: Allocation of Resources Without Limits or Throttling in elixir-mint&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cna.erlef.org/cves/CVE-2026-49754.html" rel="noopener noreferrer"&gt;Erlang Ecosystem Foundation Security Advisory&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://osv.dev/vulnerability/EEF-CVE-2026-49754" rel="noopener noreferrer"&gt;Open Source Vulnerability Database Entry&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-49754" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-49754 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-48596: CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 02:40:57 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-48596-cve-2026-48596-improper-neutralization-of-crlf-sequences-in-elixir-tesla-multipart-2e80</link>
      <guid>https://dev.to/cverports/cve-2026-48596-cve-2026-48596-improper-neutralization-of-crlf-sequences-in-elixir-tesla-multipart-2e80</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-48596&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 2.1&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-10&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;An HTTP request/response splitting vulnerability in elixir-tesla allowed unauthenticated remote attackers to inject arbitrary headers or perform HTTP request smuggling by supplying CRLF characters to the Tesla.Multipart.add_content_type_param/2 function.&lt;/p&gt;




&lt;h3&gt;
  
  
  ⚠️ Exploit Status: POC
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-113 (Improper Neutralization of CRLF Sequences)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Local/Remote via application integration pattern&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS v4.0 Score&lt;/strong&gt;: 2.1 (Low)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.0017 (Percentile: 6.66%)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Impact&lt;/strong&gt;: HTTP Request Splitting and Header Injection&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: poc&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;KEV Status&lt;/strong&gt;: Not Listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Elixir applications utilizing the elixir-tesla HTTP client library with user-provided parameters forwarded directly to the multipart boundary or charset configuration APIs.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;tesla&lt;/strong&gt;: from 0.8.0 before 1.18.3 (Fixed in: &lt;code&gt;1.18.3&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2" rel="noopener noreferrer"&gt;23601ed&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Strictly validate content-type parameters according to RFC 7231 §3.1.1.1, preventing carriage return, line feed, and semicolon characters from being accepted.&lt;/p&gt;

&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade to version 1.18.3 or higher of the tesla hex package.&lt;/li&gt;
&lt;li&gt;Sanitize user-provided values passed to add_content_type_param/2 by explicitly stripping or rejecting carriage returns, line feeds, and semicolons.&lt;/li&gt;
&lt;li&gt;Implement static analysis checks to detect unvalidated parameters passing from entry-points into Tesla Multipart constructs.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Open your application's &lt;code&gt;mix.exs&lt;/code&gt; configuration file.&lt;/li&gt;
&lt;li&gt;Locate the &lt;code&gt;tesla&lt;/code&gt; dependency declaration in the &lt;code&gt;deps/0&lt;/code&gt; list.&lt;/li&gt;
&lt;li&gt;Update the version constraint to &lt;code&gt;{:tesla, "~&amp;gt; 1.18.3"}&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Run &lt;code&gt;mix deps.update tesla&lt;/code&gt; to download and lock the secured package version.&lt;/li&gt;
&lt;li&gt;Run &lt;code&gt;mix test&lt;/code&gt; to confirm that standard multipart behavior remains functional.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w" rel="noopener noreferrer"&gt;GitHub Security Advisory GHSA-q7jx-v53g-848w&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2" rel="noopener noreferrer"&gt;Fix Commit&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cna.erlef.org/cves/CVE-2026-48596.html" rel="noopener noreferrer"&gt;Erlang Ecosystem Foundation Advisory details&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://osv.dev/vulnerability/EEF-CVE-2026-48596" rel="noopener noreferrer"&gt;OSV Database Record&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2026-48596" rel="noopener noreferrer"&gt;NVD Vulnerability Record&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.cve.org/CVERecord?id=CVE-2026-48596" rel="noopener noreferrer"&gt;CVE Record&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-48596" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-48596 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-48594: CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 02:11:04 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-48594-cve-2026-48594-decompression-bomb-denial-of-service-in-elixir-tesla-http-client-4b39</link>
      <guid>https://dev.to/cverports/cve-2026-48594-cve-2026-48594-decompression-bomb-denial-of-service-in-elixir-tesla-http-client-4b39</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-48594&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 8.2&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-10&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;Unrestricted decompression and recursive codec handling in Tesla's decompression middleware allow remote servers to trigger heap exhaustion and BEAM VM crashes via tiny, highly compressed response payloads.&lt;/p&gt;




&lt;h3&gt;
  
  
  ⚠️ Exploit Status: POC
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-409&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Network&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS Score&lt;/strong&gt;: 8.2 (High)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.00329 (Percentile: 24.87%)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Impact&lt;/strong&gt;: Denial of Service (OOM Crash)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: Theoretical / Patch Analysis&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;KEV Status&lt;/strong&gt;: Not Listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Elixir Applications deploying Tesla client pipelines with DecompressResponse or Compression middleware active.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;tesla&lt;/strong&gt;: &amp;gt;= 0.6.0, &amp;lt; 1.18.3 (Fixed in: &lt;code&gt;1.18.3&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d" rel="noopener noreferrer"&gt;340f75b&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Fix decompression vulnerability in Compression middleware by adding size limit check and restricting recursive decompression.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight diff"&gt;&lt;code&gt;&lt;span class="p"&gt;@@ -12,4 +12,14 @@&lt;/span&gt;
&lt;span class="gi"&gt;+    if count_known_codecs(codecs) &amp;gt; 1 do
+      raise Error, reason: :multiple_codecs
+    end
&lt;/span&gt;...
&lt;span class="gi"&gt;+  defp start_inflate(z, body, max_body_size) do
+    case :zlib.safeInflate(z, body) do
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade Tesla dependency to 1.18.3 or higher.&lt;/li&gt;
&lt;li&gt;Enforce mandatory :max_body_size limits in middleware options.&lt;/li&gt;
&lt;li&gt;Avoid handling decompression of external data with unconstrained endpoints.&lt;/li&gt;
&lt;li&gt;Deploy network-level HTTP header filtering to drop stacked Content-Encodings.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Open your project mix.exs file and locate the :tesla dependency.&lt;/li&gt;
&lt;li&gt;Update the version constraint to {:tesla, "~&amp;gt; 1.18.3"} or higher.&lt;/li&gt;
&lt;li&gt;Run mix deps.get to download and lock the updated version.&lt;/li&gt;
&lt;li&gt;Locate modules utilizing Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression.&lt;/li&gt;
&lt;li&gt;Append max_body_size:  configuration parameter.&lt;/li&gt;
&lt;li&gt;Re-compile and run test suites to ensure integration compatibility.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f" rel="noopener noreferrer"&gt;GitHub Advisory GHSA-mc85-72gr-vm9f&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d" rel="noopener noreferrer"&gt;Official Fix Commit&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.cve.org/CVERecord?id=CVE-2026-48594" rel="noopener noreferrer"&gt;CVE-2026-48594 Record&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2026-48594" rel="noopener noreferrer"&gt;NVD CVE-2026-48594 Details&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cna.erlef.org/cves/CVE-2026-48594.html" rel="noopener noreferrer"&gt;EEF/CNA Advisory Portal&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://osv.dev/vulnerability/EEF-CVE-2026-48594" rel="noopener noreferrer"&gt;OSV Entry for EEF-CVE-2026-48594&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-48594" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-48594 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-48595: CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 01:40:58 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-48595-cve-2026-48595-cross-origin-credential-leakage-in-elixir-tesla-client-via-17no</link>
      <guid>https://dev.to/cverports/cve-2026-48595-cve-2026-48595-cross-origin-credential-leakage-in-elixir-tesla-client-via-17no</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-48595&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 8.2&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-10&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;Case-sensitive header filtering in Tesla's FollowRedirects middleware fails to strip credentials like 'Authorization' during cross-origin redirects if they contain uppercase characters, leading to token leakage to untrusted hosts.&lt;/p&gt;




&lt;h3&gt;
  
  
  ⚠️ Exploit Status: POC
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-178&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Network (Remote)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS v4 Score&lt;/strong&gt;: 8.2 (High)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.00396 (0.40%)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: Proof of Concept (PoC) Publicly Available&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CISA KEV Status&lt;/strong&gt;: Not Listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Elixir systems integrating the elixir-tesla/tesla library with active follow-redirect modules.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;tesla&lt;/strong&gt;: &amp;gt;= 1.4.0, &amp;lt; 1.18.3 (Fixed in: &lt;code&gt;1.18.3&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182" rel="noopener noreferrer"&gt;db963db&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Hardens header filtering on redirect by introducing proper case normalization and aligning with RFC 9110 expectations.&lt;/p&gt;

&lt;h2&gt;
  
  
  Exploit Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://github.com/jenniferreire26/CVE-2026-48595" rel="noopener noreferrer"&gt;GitHub&lt;/a&gt;: Proof of Concept validation environment for reproducing the case-sensitivity bypass in elixir-tesla.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade the elixir-tesla/tesla dependency to version 1.18.3 or greater.&lt;/li&gt;
&lt;li&gt;Normalize all outgoing HTTP header keys to lowercase at the application layer prior to dispatching requests.&lt;/li&gt;
&lt;li&gt;Sanitize client-provided redirection inputs to avoid cross-origin redirection routes.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Open your project's mix.exs configuration file.&lt;/li&gt;
&lt;li&gt;Locate the {:tesla, ...} dependency definition.&lt;/li&gt;
&lt;li&gt;Modify the version constraint to requiring '~&amp;gt; 1.18.3' or greater.&lt;/li&gt;
&lt;li&gt;Execute 'mix deps.get' in your shell to fetch the updated packages.&lt;/li&gt;
&lt;li&gt;Rebuild and run tests to ensure no regression occurs.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m" rel="noopener noreferrer"&gt;GitHub Security Advisory - GHSA-9m9w-gxf7-rh8m&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cna.erlef.org/cves/CVE-2026-48595.html" rel="noopener noreferrer"&gt;CNA EEF Advisory Record&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://osv.dev/vulnerability/EEF-CVE-2026-48595" rel="noopener noreferrer"&gt;OSV Entry&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.cve.org/CVERecord?id=CVE-2026-48595" rel="noopener noreferrer"&gt;CVE.org Record Database&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-48595" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-48595 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-48597: CVE-2026-48597: Denial of Service via Atom Table Exhaustion in Elixir Tesla Client (Mint Adapter)</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 01:10:59 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-48597-cve-2026-48597-denial-of-service-via-atom-table-exhaustion-in-elixir-tesla-client-2j26</link>
      <guid>https://dev.to/cverports/cve-2026-48597-cve-2026-48597-denial-of-service-via-atom-table-exhaustion-in-elixir-tesla-client-2j26</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-48597: Denial of Service via Atom Table Exhaustion in Elixir Tesla Client (Mint Adapter)
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-48597&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 8.2&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-10&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;CVE-2026-48597 is a high-severity Denial of Service (DoS) vulnerability in the Elixir HTTP client library Tesla (specifically involving the Mint adapter) that allows an unauthenticated remote attacker to cause an unrecoverable crash of the Erlang Virtual Machine (BEAM). The flaw arises from the dynamic conversion of untrusted URL schemes into Erlang atoms without validation, leading to global atom table exhaustion.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;A high-severity Denial of Service vulnerability in the Elixir Tesla HTTP client (using the Mint adapter) allows remote, unauthenticated attackers to crash the Erlang VM by submitting arbitrary URL schemes that exhaust the non-garbage-collected atom table.&lt;/p&gt;




&lt;h3&gt;
  
  
  ⚠️ Exploit Status: POC
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-770&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Network&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS v4.0 Score&lt;/strong&gt;: 8.2 (High)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.00301 (0.30%)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: Proof of Concept (poc)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CISA KEV Status&lt;/strong&gt;: Not Listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;elixir-tesla (tesla Hex package)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;tesla&lt;/strong&gt;: &amp;gt;= 1.3.0, &amp;lt; 1.18.3 (Fixed in: &lt;code&gt;1.18.3&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e" rel="noopener noreferrer"&gt;4699c3c&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Fix atom leak in Mint adapter by verifying scheme&lt;/p&gt;

&lt;h2&gt;
  
  
  Exploit Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e" rel="noopener noreferrer"&gt;GitHub&lt;/a&gt;: Unit test suite demonstrating dynamic scheme validation bypass and subsequent atom creation prevention.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade the tesla library to version 1.18.3 or later to enforce scheme allow-listing.&lt;/li&gt;
&lt;li&gt;Validate and sanitize user-supplied URLs before passing them to the Tesla client to ensure they only contain approved scheme strings like 'http' or 'https'.&lt;/li&gt;
&lt;li&gt;Disable the automatic following of redirects when interacting with untrusted hosts, or intercept redirect URLs to filter out unexpected schemes.&lt;/li&gt;
&lt;li&gt;Switch to an alternative HTTP adapter (such as Hackney or Finch) that does not convert dynamic request metadata into atoms.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Open your Elixir project's mix.exs file.&lt;/li&gt;
&lt;li&gt;Locate the {:tesla, ...} dependency definition.&lt;/li&gt;
&lt;li&gt;Update the version constraint to '~&amp;gt; 1.18.3' or higher.&lt;/li&gt;
&lt;li&gt;Run 'mix deps.update tesla' in your terminal to fetch and compile the patched version.&lt;/li&gt;
&lt;li&gt;Deploy the updated application to production and monitor the VM's atom table count to verify stability.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm" rel="noopener noreferrer"&gt;GitHub Security Advisory GHSA-h74c-q9j7-mpcm&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e" rel="noopener noreferrer"&gt;Fix Commit on GitHub&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cna.erlef.org/cves/CVE-2026-48597.html" rel="noopener noreferrer"&gt;Erlang Ecosystem Foundation Advisory&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://osv.dev/vulnerability/EEF-CVE-2026-48597" rel="noopener noreferrer"&gt;OSV Ecosystem Advisory Record&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.cve.org/CVERecord?id=CVE-2026-48597" rel="noopener noreferrer"&gt;CVE.org Official Record&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2026-48597" rel="noopener noreferrer"&gt;NVD Vulnerability Details&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-48597" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-48597 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-48598: CVE-2026-48598: Multipart Part Header Injection and Request Smuggling in elixir-tesla</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 00:41:02 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-48598-cve-2026-48598-multipart-part-header-injection-and-request-smuggling-in-5a0f</link>
      <guid>https://dev.to/cverports/cve-2026-48598-cve-2026-48598-multipart-part-header-injection-and-request-smuggling-in-5a0f</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-48598: Multipart Part Header Injection and Request Smuggling in elixir-tesla
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-48598&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 2.1&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-10&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;An Improper Encoding or Escaping of Output vulnerability (CWE-116) in elixir-tesla allowed unauthenticated remote code execution or request smuggling via unescaped Content-Disposition parameters in multipart form-data requests.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;Unescaped carriage returns, line feeds, and double-quotes in elixir-tesla's multipart module allow multipart header injection and request smuggling.&lt;/p&gt;




&lt;h3&gt;
  
  
  ⚠️ Exploit Status: POC
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-116&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Local&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS v4.0 Score&lt;/strong&gt;: 2.1 (Low)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EPSS Score&lt;/strong&gt;: 0.00143&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Impact&lt;/strong&gt;: Low Subsequent System Integrity&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: Proof of Concept&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;KEV Status&lt;/strong&gt;: Not Listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;elixir-tesla&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;tesla&lt;/strong&gt;: &amp;gt;= 0.8.0, &amp;lt; 1.18.3 (Fixed in: &lt;code&gt;1.18.3&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/elixir-tesla/tesla/commit/bb1a2c3da2775924d96e3db8e315dcc4d5d2246e" rel="noopener noreferrer"&gt;bb1a2c3&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Remediation patch introducing assert_disposition_value! function&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight diff"&gt;&lt;code&gt;&lt;span class="gd"&gt;--- a/lib/tesla/multipart.ex\n+++ b/lib/tesla/multipart.ex
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2" rel="noopener noreferrer"&gt;23601ed&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Strict RFC 7230 token whitelisting using binary pattern matches&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight diff"&gt;&lt;code&gt;&lt;span class="gd"&gt;--- a/lib/tesla/multipart.ex\n+++ b/lib/tesla/multipart.ex
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Exploit Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4" rel="noopener noreferrer"&gt;GitHub Security Advisory&lt;/a&gt;: Detailed discussion and description of the vulnerability.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade the elixir-tesla dependency to version 1.18.3 or newer&lt;/li&gt;
&lt;li&gt;Filter user-controlled input values to remove carriage returns, line feeds, and double-quote characters before parsing&lt;/li&gt;
&lt;li&gt;Wrap dynamic multipart compilation steps in exception-handling blocks to prevent application crashes&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Open your mix.exs configuration file&lt;/li&gt;
&lt;li&gt;Locate the {:tesla, "..."} dependency line and update the version requirement to &amp;gt;= 1.18.3&lt;/li&gt;
&lt;li&gt;Execute mix deps.get to fetch the patched version of the package&lt;/li&gt;
&lt;li&gt;Run your test suite to verify no uncaught ArgumentError exceptions occur during multipart serialization&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.cve.org/CVERecord?id=CVE-2026-48598" rel="noopener noreferrer"&gt;CVE-2026-48598 on CVE.org&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4" rel="noopener noreferrer"&gt;GHSA-28jh-g32x-v9v4 Advisory on GitHub&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cna.erlef.org/cves/CVE-2026-48598.html" rel="noopener noreferrer"&gt;Erlang Ecosystem Foundation CNA Advisory&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://osv.dev/vulnerability/EEF-CVE-2026-48598" rel="noopener noreferrer"&gt;OSV Registry Record for CVE-2026-48598&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-48598" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-48598 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>CVE-2026-49851: CVE-2026-49851: Algorithmic Complexity Denial of Service in Mistune Markdown Parser</title>
      <dc:creator>CVE Reports</dc:creator>
      <pubDate>Fri, 10 Jul 2026 00:10:58 +0000</pubDate>
      <link>https://dev.to/cverports/cve-2026-49851-cve-2026-49851-algorithmic-complexity-denial-of-service-in-mistune-markdown-parser-4cn</link>
      <guid>https://dev.to/cverports/cve-2026-49851-cve-2026-49851-algorithmic-complexity-denial-of-service-in-mistune-markdown-parser-4cn</guid>
      <description>&lt;h1&gt;
  
  
  CVE-2026-49851: Algorithmic Complexity Denial of Service in Mistune Markdown Parser
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability ID:&lt;/strong&gt; CVE-2026-49851&lt;br&gt;
&lt;strong&gt;CVSS Score:&lt;/strong&gt; 7.5&lt;br&gt;
&lt;strong&gt;Published:&lt;/strong&gt; 2026-07-09&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;CVE-2026-49851 is a high-severity algorithmic complexity vulnerability in the Mistune Markdown parser. Under specific conditions involving dense, unmatched nesting of opening square brackets, the parser fallback loops degrade from linear execution time to a worst-case quadratic complexity. This allows unauthenticated remote attackers to trigger complete CPU exhaustion and subsequent Denial of Service with a highly compact payload.&lt;/p&gt;

&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;An algorithmic complexity degradation in the Mistune Markdown parser allows unauthenticated remote attackers to exhaust CPU resources and cause a persistent denial of service via malformed nested bracket sequences.&lt;/p&gt;




&lt;h3&gt;
  
  
  ⚠️ Exploit Status: POC
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Technical Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CWE ID&lt;/strong&gt;: CWE-407&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Vector&lt;/strong&gt;: Network&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS v3.1 Score&lt;/strong&gt;: 7.5 (High)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS v4.0 Score&lt;/strong&gt;: 8.7 (High)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Impact&lt;/strong&gt;: Denial of Service / CPU Exhaustion&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Exploit Status&lt;/strong&gt;: PoC available&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;KEV Status&lt;/strong&gt;: Not listed&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Affected Systems
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Mistune Markdown Parser (PyPI Package)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;mistune&lt;/strong&gt;: &amp;lt; 3.3.0 (Fixed in: &lt;code&gt;3.3.0&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Code Analysis
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/lepture/mistune/commit/d68b0d0c1b8e9bdfc74e14f34793fefa73ac8977" rel="noopener noreferrer"&gt;d68b0d0&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;First optimization sweep aiming to skip scanned bracket positions on parsing failure.&lt;/p&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/lepture/mistune/commit/b6b499d8ecbd443f715f29d496d0144d0dfebdee" rel="noopener noreferrer"&gt;b6b499d&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Implemented high-water mark optimization tracking no_close_bracket_before limits.&lt;/p&gt;

&lt;h3&gt;
  
  
  Commit: &lt;a href="https://github.com/lepture/mistune/commit/5de41fb8e527004dbc363e047a3c380c9288c74f" rel="noopener noreferrer"&gt;5de41fb&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Complete architecture rewrite implementing the linear bracket map cache.&lt;/p&gt;

&lt;h2&gt;
  
  
  Exploit Details
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p" rel="noopener noreferrer"&gt;GitHub Security Advisories&lt;/a&gt;: Advisory referencing structural algorithmic complexities within the inline parsing engines.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation Strategies
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade the Mistune dependency to version 3.3.0 or higher.&lt;/li&gt;
&lt;li&gt;Deploy custom WAF rules to detect and drop payloads with consecutive open brackets.&lt;/li&gt;
&lt;li&gt;Implement application-level input sanitization to filter or reject abnormal bracket nesting.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Remediation Steps:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Identify all python environments utilizing the mistune package.&lt;/li&gt;
&lt;li&gt;Execute pip install --upgrade mistune&amp;gt;=3.3.0 in the target environment.&lt;/li&gt;
&lt;li&gt;Deploy input inspection middleware to drop inputs containing sequence structures of 30 or more consecutive unmatched brackets.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p" rel="noopener noreferrer"&gt;GitHub Security Advisory GHSA-qcq2-496w-v96p&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2026-49851" rel="noopener noreferrer"&gt;National Vulnerability Database record CVE-2026-49851&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://access.redhat.com/security/cve/CVE-2026-49851" rel="noopener noreferrer"&gt;Red Hat Security Advisory Record&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugzilla.redhat.com/show_bug.cgi?id=2492304" rel="noopener noreferrer"&gt;Red Hat Bugzilla Bug Tracker&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49851.json" rel="noopener noreferrer"&gt;Red Hat Security CSAF VEX File Export&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;&lt;a href="https://cvereports.com/reports/CVE-2026-49851" rel="noopener noreferrer"&gt;Read the full report for CVE-2026-49851 on our website&lt;/a&gt; for more details including interactive diagrams and full exploit analysis.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>cybersecurity</category>
    </item>
  </channel>
</rss>
