Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2.
Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\r) or LF (\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing \r\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected.
This issue affects tesla: from 0.8.0 before 1.18.3.
AnalysisAI
HTTP header injection in the Tesla Elixir HTTP client library (versions 0.8.0 through before 1.18.3) allows untrusted input forwarded into Tesla.Multipart.add_content_type_param/2 to split outbound Content-Type headers by embedding CR (\r) or LF (\n) characters. When Tesla.Multipart.headers/1 joins content_type_params verbatim with "; ", a maliciously crafted param string terminates the current header line and inserts arbitrary headers into the outbound HTTP request sent by the Tesla client to downstream systems. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; however, a vendor-released patch is available in version 1.18.3.
Technical ContextAI
Tesla is a flexible, composable HTTP client library for Elixir (CPE: cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*). The affected component is the Tesla.Multipart module, which constructs multipart/form-data HTTP requests. Specifically, Tesla.Multipart.add_content_type_param/2 appends a caller-supplied string to an internal content_type_params list, and Tesla.Multipart.headers/1 later joins those params with "; " to form the Content-Type header value - neither function validated for CR (\r) or LF (\n) characters prior to the fix. CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers) describes this root cause class precisely: when untrusted data containing CRLF is embedded in an HTTP header value, it terminates the current header line and begins a new, attacker-controlled one. The fix (commit 23601edac5d22ba9407b427967b5bdbda201aec2) introduced RFC 7230/7231-compliant character guards (is_tchar, is_field_vchar, is_qdtext) and dedicated assertion functions that raise ArgumentError when any invalid character - including CR, LF, semicolons, or ASCII control characters - appears in content-type params, header names/values, or multipart disposition values.
RemediationAI
Vendor-released patch: tesla 1.18.3. Applications using the Tesla library should upgrade to version 1.18.3 or later, which introduces strict RFC 7230/7231 input validation in Tesla.Multipart - invalid characters in content-type params, header names, header values, and disposition values now raise ArgumentError at the point of insertion rather than being silently passed through. The upstream patch commit is available at https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2 and the vendor advisory at https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w. If an immediate upgrade is not feasible, applications should sanitize any user-supplied strings by stripping or rejecting CR (\r), LF (\n), and semicolons before passing them to add_content_type_param/2; this should be done at the application boundary where untrusted input is first received. As a further defense, restrict which user-controlled fields are permitted to flow into multipart parameter construction, or replace dynamic charset/param selection with a server-side allowlist of known-safe values - this eliminates the attack surface entirely but may limit flexibility.
Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is vulnerable to Authentication Bypass by spoofing.
Denial-of-service in elixir-tesla Tesla versions 0.6.0 through 1.18.2 allows remote servers to crash or freeze calling E
Denial of service in the Elixir Tesla HTTP client (versions 1.3.0 through 1.18.2) when using the Tesla.Adapter.Mint adap
Race condition in NVIDIA GPU Display Driver for Linux allows a high-privileged local attacker to leak sensitive kernel o
Race condition exploitation in NVIDIA Display Driver's Linux kernel module allows a local authenticated user to cause de
{k}="#{v}" with no validation of CR, LF, or double-quote characters, enabling a crafted value to close the quoted parame
Same weakness CWE-113 – HTTP Response Splitting
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34016
GHSA-q7jx-v53g-848w