Skip to main content

Elixir Mint CVE-2026-49753

| EUVDEUVD-2026-33941 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-06-02 EEF GHSA-mjqx-c6f6-7rc2
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 02, 2026 - 18:06 vuln.today
Analysis Generated
Jun 02, 2026 - 18:06 vuln.today
CVSS changed
Jun 02, 2026 - 16:22 NVD
6.3 (MEDIUM)
CVE Published
Jun 02, 2026 - 14:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections.

Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length >= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted.

A fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer's response stream.

This issue affects mint: from 0.1.0 before 1.9.0.

AnalysisAI

HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-controlled upstream servers to desynchronize response framing on shared connections by exploiting a non-RFC-compliant Content-Length parser. Mint's parser accepts sign-prefixed integers such as '+0' or '+123' that RFC 7230 forbids, creating a disagreement with RFC-strict fronting proxies about where one HTTP response body ends and the next begins. When Mint reuses connections via keep-alive, pipelining, or pooling across trust boundaries, this parser mismatch can be weaponized to leak bytes from one requester's response into another's stream. No public exploit code has been identified at time of analysis, and no KEV listing exists; a vendor patch (v1.9.0) is available.

Technical ContextAI

The vulnerability exists in Mint.HTTP1.Parse.content_length_header/1 located at lib/mint/http1/parse.ex within the elixir-mint/mint Elixir HTTP client library (CPE: cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*). The root cause, classified as CWE-444 (Inconsistent Interpretation of HTTP Requests), stems from Mint's use of Elixir's built-in Integer.parse/1 function to decode Content-Length header values. Integer.parse/1 accepts an optional leading '+' or '-' sign as valid integer notation per Elixir language semantics, but RFC 7230 strictly defines Content-Length as '1*DIGIT' - ASCII digits only, no sign characters permitted. A negative guard (length >= 0) blocked negative values but left '+'-prefixed inputs (e.g., '+0', '+123') silently accepted as valid lengths. Because Content-Length is the framing delimiter for HTTP/1 response bodies, any proxy or load balancer that enforces strict RFC grammar will parse the boundary differently from Mint, yielding a classical HTTP desynchronization condition. The fix (commit 47e48027480228e4e32a0b4df39db497b4804921) introduces a bespoke only_digits?/1 guard that explicitly rejects any non-digit character including '+', '0x' prefixes, embedded spaces, and leading whitespace, achieving strict RFC 7230 compliance.

RemediationAI

Upgrade to Mint 1.9.0 or later, which incorporates the fix in commit 47e48027480228e4e32a0b4df39db497b4804921 and strictly enforces RFC 7230 Content-Length grammar by replacing Integer.parse/1 with a digit-only validator. The patch and advisory are available at https://github.com/elixir-mint/mint/commit/47e48027480228e4e32a0b4df39db497b4804921 and https://github.com/elixir-mint/mint/security/advisories/GHSA-mjqx-c6f6-7rc2. If an immediate upgrade is not feasible and your application shares Mint connection pools across trust boundaries, disable HTTP keep-alive and connection pooling to force per-request connections, eliminating the desynchronization primitive; note this increases latency and connection overhead. As an additional layer, configure your fronting proxy or load balancer to strictly validate and reject malformed Content-Length headers before forwarding - this hardens the proxy layer but does not fix the non-conformance in Mint itself and should not substitute for patching. Both workarounds have operational trade-offs and are not substitutes for upgrading.

Share

CVE-2026-49753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy