Skip to main content

elixir-mint Mint CVE-2026-48861

| EUVDEUVD-2026-33938 LOW
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-02 EEF GHSA-2pg6-44cx-c49v
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 02, 2026 - 18:08 vuln.today
Analysis Generated
Jun 02, 2026 - 18:08 vuln.today
CVSS changed
Jun 02, 2026 - 16:22 NVD
2.1 (LOW)
CVE Published
Jun 02, 2026 - 14:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling.

In lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\s, target, " HTTP/1.1\r\n"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection.

Mint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions.

This issue affects mint: from 0.1.0 before 1.9.0.

AnalysisAI

CRLF injection in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through 1.8.x) enables HTTP Request Splitting and HTTP Request Smuggling on shared TCP connections when applications forward attacker-controlled values as the HTTP method or target to Mint.HTTP.request/5. The target-based vector was partially closed in Mint 1.7.0 via validate_request_target/2, but the method field was left unvalidated in all versions prior to 1.9.0, meaning method-based injection remains exploitable under the default Mint configuration. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; the complete fix shipping method-character validation is available in Mint 1.9.0.

Technical ContextAI

Mint is an HTTP/1.1 and HTTP/2 client library for Elixir (CPE: cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*). The root cause is CWE-93 (Improper Neutralization of CRLF Sequences), located in lib/mint/http1/request.ex within the encode_request_line/2 function, which constructs the HTTP/1 request line by directly interpolating the caller-supplied method and target values - [method, ?\s, target, " HTTP/1.1\r\n"] - without character validation. Because CRLF sequences (\r\n) are the delimiter for HTTP/1.1 message framing, an unescaped \r\n in either field allows an attacker to terminate the request line prematurely, inject arbitrary headers, and append a fully-formed secondary HTTP request to the same TCP connection (request smuggling). Mint 1.7.0 introduced validate_request_target/2 to reject control characters in the target field by default; the patch at commit fad091454cbb7449b19edb8e1fee12ca7cf28c3a adds an analogous validate_method! function that iterates over each byte and rejects any character failing the HTTP token (tchar) definition, closing the method vector.

RemediationAI

The primary remediation is to upgrade Mint to version 1.9.0, which introduces validate_method! in lib/mint/http1/request.ex to enforce HTTP token (tchar) character constraints on the method field, returning {:error, {:invalid_request_method, method}} on invalid input. The patch commit is fad091454cbb7449b19edb8e1fee12ca7cf28c3a (https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a). For applications unable to upgrade immediately, the actionable compensating control is to sanitize or allowlist the HTTP method value in application code before passing it to Mint.HTTP.request/5 - for example, rejecting any method value that is not a member of a known-good set (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS). Additionally, ensure skip_target_validation: true is not set in any Mint connection options, as that opt-out re-enables the target-based injection vector that was closed in 1.7.0. Refer to the vendor advisory at https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v for full details.

Share

CVE-2026-48861 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy