Skip to main content

Tesla CVE-2026-48596

| EUVDEUVD-2026-34016 LOW
HTTP Response Splitting (CWE-113)
2026-06-02 EEF GHSA-q7jx-v53g-848w
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 02, 2026 - 20:27 vuln.today
Analysis Generated
Jun 02, 2026 - 20:27 vuln.today
CVSS changed
Jun 02, 2026 - 20:22 NVD
2.1 (LOW)

DescriptionCVE.org

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2.

Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\r) or LF (\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing \r\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected.

This issue affects tesla: from 0.8.0 before 1.18.3.

AnalysisAI

HTTP header injection in the Tesla Elixir HTTP client library (versions 0.8.0 through before 1.18.3) allows untrusted input forwarded into Tesla.Multipart.add_content_type_param/2 to split outbound Content-Type headers by embedding CR (\r) or LF (\n) characters. When Tesla.Multipart.headers/1 joins content_type_params verbatim with "; ", a maliciously crafted param string terminates the current header line and inserts arbitrary headers into the outbound HTTP request sent by the Tesla client to downstream systems. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; however, a vendor-released patch is available in version 1.18.3.

Technical ContextAI

Tesla is a flexible, composable HTTP client library for Elixir (CPE: cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*). The affected component is the Tesla.Multipart module, which constructs multipart/form-data HTTP requests. Specifically, Tesla.Multipart.add_content_type_param/2 appends a caller-supplied string to an internal content_type_params list, and Tesla.Multipart.headers/1 later joins those params with "; " to form the Content-Type header value - neither function validated for CR (\r) or LF (\n) characters prior to the fix. CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers) describes this root cause class precisely: when untrusted data containing CRLF is embedded in an HTTP header value, it terminates the current header line and begins a new, attacker-controlled one. The fix (commit 23601edac5d22ba9407b427967b5bdbda201aec2) introduced RFC 7230/7231-compliant character guards (is_tchar, is_field_vchar, is_qdtext) and dedicated assertion functions that raise ArgumentError when any invalid character - including CR, LF, semicolons, or ASCII control characters - appears in content-type params, header names/values, or multipart disposition values.

RemediationAI

Vendor-released patch: tesla 1.18.3. Applications using the Tesla library should upgrade to version 1.18.3 or later, which introduces strict RFC 7230/7231 input validation in Tesla.Multipart - invalid characters in content-type params, header names, header values, and disposition values now raise ArgumentError at the point of insertion rather than being silently passed through. The upstream patch commit is available at https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2 and the vendor advisory at https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w. If an immediate upgrade is not feasible, applications should sanitize any user-supplied strings by stripping or rejecting CR (\r), LF (\n), and semicolons before passing them to add_content_type_param/2; this should be done at the application boundary where untrusted input is first received. As a further defense, restrict which user-controlled fields are permitted to flow into multipart parameter construction, or replace dynamic charset/param selection with a server-side allowlist of known-safe values - this eliminates the attack surface entirely but may limit flexibility.

Share

CVE-2026-48596 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy