Skip to main content

elixir-mint Mint CVE-2026-59249

| EUVDEUVD-2026-44909 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-07-16 EEF
6.3
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network attack vector (AV:N), high complexity (AC:H) for required topology; no privileges or UI needed; scope changed (S:C) as response poisoning corrupts data for other users on the same connection pool; limited C and I impact only.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 16, 2026 - 12:36 vuln.today
Analysis Generated
Jul 16, 2026 - 12:36 vuln.today

DescriptionCVE.org

Inconsistent interpretation of HTTP requests (HTTP response smuggling) vulnerability in elixir-mint mint allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that share the connection.

The Mint.HTTP1.decode_body/5 function in lib/mint/http1.ex parses the chunk-size line of a Transfer-Encoding: chunked response with Integer.parse(data, 16). RFC 7230 defines chunk-size = 1*HEXDIG and forbids any sign prefix, but Integer.parse/2 accepts an optional leading + or -. A chunk-size line of +5 is accepted as a five-byte chunk; lines of +0 and -0 are accepted as the terminating zero-length chunk and end the message body early.

An RFC-strict intermediary in the response path rejects these forms, so the intermediary and the Mint client disagree on where one response ends and the next begins. On a pooled keep-alive connection, an attacker-influenced origin can inject bytes that the client attributes to the next legitimate response on the same connection, poisoning the response queue and corrupting the responses returned to unrelated in-flight requests.

This issue affects mint: from 0.1.0 before 1.9.3.

AnalysisAI

Response-queue poisoning in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through before 1.9.3) allows a malicious or attacker-influenced HTTP/1 origin server to desynchronize a strict RFC-compliant intermediary from the Mint client on shared keep-alive pooled connections. The root cause is Mint.HTTP1.decode_body/5 using Elixir's Integer.parse/2 for chunked transfer-encoding chunk-size parsing, which accepts RFC-forbidden leading + or - sign prefixes, causing both parties to disagree on where one HTTP response ends and the next begins. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker controls or compromises HTTP/1 origin server
Delivery
Serve chunked response with signed chunk-size header (+0 or -0)
Exploit
Strict RFC intermediary applies different message boundary than Mint client
Execution
Mint misidentifies response end; attributes injected bytes to next queued request
Persist
Response queue poisoned for co-tenant in-flight requests
Impact
Attacker reads or corrupts unrelated application responses

Vulnerability AssessmentAI

Exploitation Exploitation requires all three of the following conditions simultaneously: (1) The Mint client must be using HTTP/1.1 with a keep-alive pooled connection where multiple in-flight requests share the same TCP connection - without connection pooling, there are no co-tenant requests to poison. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 (Medium) with vector AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N accurately reflects conditional, moderate-impact exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or has compromised an HTTP/1 origin server behind a strict RFC-compliant proxy crafts a chunked HTTP response containing a `+0 ` chunk-size header to terminate the response body early. The strict proxy sees this as an invalid chunk-size and applies its own boundary parsing, while Mint accepts `+0` as a valid zero-length terminating chunk, attributing subsequent injected server bytes to the next queued request on the shared keep-alive connection pool. …
Remediation Upgrade elixir-mint Mint to version 1.9.3 or later, which replaces the vulnerable `Integer.parse/2` chunk-size parser with a custom RFC-strict hex-only parser (`Mint.HTTP1.Parse.chunk_size/1`) that explicitly rejects signed integers. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59249 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy