Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling.
In lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\s, target, " HTTP/1.1\r\n"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection.
Mint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions.
This issue affects mint: from 0.1.0 before 1.9.0.
AnalysisAI
CRLF injection in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through 1.8.x) enables HTTP Request Splitting and HTTP Request Smuggling on shared TCP connections when applications forward attacker-controlled values as the HTTP method or target to Mint.HTTP.request/5. The target-based vector was partially closed in Mint 1.7.0 via validate_request_target/2, but the method field was left unvalidated in all versions prior to 1.9.0, meaning method-based injection remains exploitable under the default Mint configuration. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; the complete fix shipping method-character validation is available in Mint 1.9.0.
Technical ContextAI
Mint is an HTTP/1.1 and HTTP/2 client library for Elixir (CPE: cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*). The root cause is CWE-93 (Improper Neutralization of CRLF Sequences), located in lib/mint/http1/request.ex within the encode_request_line/2 function, which constructs the HTTP/1 request line by directly interpolating the caller-supplied method and target values - [method, ?\s, target, " HTTP/1.1\r\n"] - without character validation. Because CRLF sequences (\r\n) are the delimiter for HTTP/1.1 message framing, an unescaped \r\n in either field allows an attacker to terminate the request line prematurely, inject arbitrary headers, and append a fully-formed secondary HTTP request to the same TCP connection (request smuggling). Mint 1.7.0 introduced validate_request_target/2 to reject control characters in the target field by default; the patch at commit fad091454cbb7449b19edb8e1fee12ca7cf28c3a adds an analogous validate_method! function that iterates over each byte and rejects any character failing the HTTP token (tchar) definition, closing the method vector.
RemediationAI
The primary remediation is to upgrade Mint to version 1.9.0, which introduces validate_method! in lib/mint/http1/request.ex to enforce HTTP token (tchar) character constraints on the method field, returning {:error, {:invalid_request_method, method}} on invalid input. The patch commit is fad091454cbb7449b19edb8e1fee12ca7cf28c3a (https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a). For applications unable to upgrade immediately, the actionable compensating control is to sanitize or allowlist the HTTP method value in application code before passing it to Mint.HTTP.request/5 - for example, rejecting any method value that is not a member of a known-good set (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS). Additionally, ensure skip_target_validation: true is not set in any Mint connection options, as that opt-out re-enables the target-based injection vector that was closed in 1.7.0. Refer to the vendor advisory at https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v for full details.
Uncontrolled memory allocation in the Elixir Mint HTTP client (Mint.HTTP1 module, versions 0.5.0 through 1.9.0) lets a m
Unbounded memory consumption in the Elixir Mint HTTP client (versions 0.1.0 through 1.9.1) lets a malicious or attacker-
Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP
Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to c
Memory exhaustion in elixir-mint's HTTP/2 client library (mint) allows a malicious or attacker-controlled HTTP/2 server
Response-queue poisoning in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through before 1.9.3) allows a
HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-con
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33938
GHSA-2pg6-44cx-c49v