Skip to main content

Req CVE-2026-49756

| EUVDEUVD-2026-35096 LOW
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-08 EEF
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 18:16 vuln.today
Analysis Generated
Jun 08, 2026 - 18:16 vuln.today
CVSS changed
Jun 08, 2026 - 16:22 NVD
2.1 (LOW)
CVE Published
Jun 08, 2026 - 15:20 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.

Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing.

This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.

This issue affects req: from 0.5.3 before 0.6.0.

AnalysisAI

CRLF injection in Req, the Elixir HTTP client library (versions 0.5.3 through before 0.6.0), allows an attacker who can influence multipart form field metadata - specifically name, filename, or content_type values - to inject arbitrary headers into outgoing multipart requests or smuggle additional form parts. The flaw exists because Req.Utils.encode_form_part/2 interpolates caller-supplied metadata directly into Content-Disposition and Content-Type header lines without escaping double-quotes, carriage returns, or newlines. The attack surface is particularly accessible when using File.Stream inputs, since POSIX filenames may legitimately contain CR/LF characters. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog; however, any application forwarding user-controlled filenames through Req.post/2 with form_multipart is affected.

Technical ContextAI

Req is an Elixir HTTP client library (cpe:2.3:a:wojtekmach:req) built on Mint and Finch. The vulnerability resides in Req.Utils.encode_form_part/2 at lib/req/utils.ex, which constructs MIME multipart part headers by string interpolation. CWE-93 (Improper Neutralization of CRLF Sequences) applies: the per-part headers use the pattern 'content-disposition: form-data; name="<name>"; filename="<filename>"' with no sanitization. Because multipart boundaries and header delimiters are CRLF-based per RFC 2046, an attacker-controlled value containing \r\n can prematurely terminate a header line and inject new headers, or with an additional \r\n--<boundary> sequence, terminate the current part entirely and prepend a smuggled part. The CVSS 4.0 vector (AV:L/AT:P) reflects that exploitation requires the vulnerable library to be invoked locally with attacker-influenced input, with downstream integrity impact captured via SC:L/SI:L. The fix, applied in commit 74506ff2, introduces an escape_form_param/1 helper that percent-encodes the three dangerous characters - double-quote, CR, and LF - per RFC 7578 and WHATWG form-data specifications.

RemediationAI

Upgrade req to version 0.6.0 or later, which introduces the escape_form_param/1 helper that percent-encodes double-quote, CR, and LF in all per-part metadata fields per RFC 7578. The upstream patch commit is 74506ff2c5addf74df85d79dc726e9b2e264a8ba, available at https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba. Update your mix.exs dependency to {:req, "~> 0.6.0"} and run mix deps.update req. If immediate upgrade is not feasible, the compensating control is to sanitize the name, filename, and content_type values before passing them to Req.post/2 - specifically, strip or percent-encode all occurrences of '"', \r, and \n from these metadata fields in application code before constructing the form_multipart options. This mitigation does not require disabling the form_multipart feature but does require identifying all call sites that accept externally supplied filenames or field names. Applications that use only developer-hardcoded, non-user-controlled metadata are not exposed and require no immediate action.

Share

CVE-2026-49756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy