Skip to main content

Mint

8 CVEs product

Monthly

CVE-2026-59249 MEDIUM PATCH This Month

Response-queue poisoning in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through before 1.9.3) allows a malicious or attacker-influenced HTTP/1 origin server to desynchronize a strict RFC-compliant intermediary from the Mint client on shared keep-alive pooled connections. The root cause is `Mint.HTTP1.decode_body/5` using Elixir's `Integer.parse/2` for chunked transfer-encoding chunk-size parsing, which accepts RFC-forbidden leading `+` or `-` sign prefixes, causing both parties to disagree on where one HTTP response ends and the next begins. No public exploit has been identified at time of analysis, but a vendor-released patch is available in Mint 1.9.3.

Request Smuggling Code Injection Mint
NVD GitHub
CVSS 4.0
6.3
CVE-2026-59246 MEDIUM PATCH This Month

Memory exhaustion in elixir-mint's HTTP/2 client library (mint) allows a malicious or attacker-controlled HTTP/2 server to crash any BEAM application using the library by streaming unbounded zero-length CONTINUATION frames that bypass the existing byte-size guard. Affected versions span mint 0.1.0 through 1.9.1; a vendor-released patch is confirmed in 1.9.2. No public exploit or CISA KEV listing exists at time of analysis, but the explicit SSRF and redirect attack vectors meaningfully increase realistic exposure for server-side Elixir applications that proxy user-supplied URLs.

SSRF Denial Of Service Mint
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-58229 HIGH PATCH This Week

Unbounded memory consumption in the Elixir Mint HTTP client (versions 0.1.0 through 1.9.1) lets a malicious or attacker-influenced HTTP server crash the entire BEAM application acting as the client. The HTTP/1 header and chunked-trailer parsers accumulate every incoming header line into a per-request buffer with no size or count cap, so a server that streams headers forever without sending the terminating blank line drives the client host to out-of-memory death. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor patch (1.9.2) and fix commit are available, and the EPSS/POC signals are unremarked in the source data.

SSRF Denial Of Service Mint
NVD GitHub
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-56810 HIGH PATCH This Week

Uncontrolled memory allocation in the Elixir Mint HTTP client (Mint.HTTP1 module, versions 0.5.0 through 1.9.0) lets a malicious or compromised HTTP server exhaust a client's memory and force an out-of-memory crash. When decoding a chunked response, Mint buffers every byte of the current chunk in an unbounded iolist and withholds it from the caller until the full declared chunk length arrives, so a server that advertises a huge chunk size (e.g. 0x7FFFFFFF ≈ 2 GiB) and then dribbles bytes slowly drives client memory arbitrarily high. This CWE-770 flaw is a denial-of-service only (VA:H, no confidentiality or integrity impact) with no public exploit identified at time of analysis and no CISA KEV listing.

Denial Of Service Mint
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-49753 MEDIUM POC PATCH GHSA This Month

HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-controlled upstream servers to desynchronize response framing on shared connections by exploiting a non-RFC-compliant Content-Length parser. Mint's parser accepts sign-prefixed integers such as '+0' or '+123' that RFC 7230 forbids, creating a disagreement with RFC-strict fronting proxies about where one HTTP response body ends and the next begins. When Mint reuses connections via keep-alive, pipelining, or pooling across trust boundaries, this parser mismatch can be weaponized to leak bytes from one requester's response into another's stream. No public exploit code has been identified at time of analysis, and no KEV listing exists; a vendor patch (v1.9.0) is available.

Information Disclosure Request Smuggling Mint
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-49754 HIGH POC PATCH GHSA This Week

Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP/2 server to crash the client's BEAM process via a CONTINUATION frame flood. The client's receive path buffers HEADERS and CONTINUATION fragments into an unbounded accumulator because SETTINGS_MAX_HEADER_LIST_SIZE defaulted to :infinity and was only enforced on outbound requests, so a single attacker-controlled endpoint can force unlimited iolist growth until the process dies. No public exploit identified at time of analysis, but a verified upstream patch and detailed advisory exist.

Denial Of Service Mint
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48862 HIGH POC PATCH GHSA This Week

Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to crash the client process by flooding PUSH_PROMISE frames without follow-up HEADERS, since reserved stream entries bypass the max_concurrent_streams cap. CVSS 4.0 score is 8.2 with attack vector network and high availability impact, but no public exploit is identified at time of analysis and the bug requires the client to connect to a hostile server. Server push is accepted by default (enable_push=true), so any Mint-based HTTP client reaching an attacker-controlled origin is exposed.

Denial Of Service Mint
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48861 LOW POC PATCH GHSA Monitor

CRLF injection in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through 1.8.x) enables HTTP Request Splitting and HTTP Request Smuggling on shared TCP connections when applications forward attacker-controlled values as the HTTP method or target to Mint.HTTP.request/5. The target-based vector was partially closed in Mint 1.7.0 via validate_request_target/2, but the method field was left unvalidated in all versions prior to 1.9.0, meaning method-based injection remains exploitable under the default Mint configuration. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; the complete fix shipping method-character validation is available in Mint 1.9.0.

RCE Mint
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVSS 6.3
MEDIUM PATCH This Month

Response-queue poisoning in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through before 1.9.3) allows a malicious or attacker-influenced HTTP/1 origin server to desynchronize a strict RFC-compliant intermediary from the Mint client on shared keep-alive pooled connections. The root cause is `Mint.HTTP1.decode_body/5` using Elixir's `Integer.parse/2` for chunked transfer-encoding chunk-size parsing, which accepts RFC-forbidden leading `+` or `-` sign prefixes, causing both parties to disagree on where one HTTP response ends and the next begins. No public exploit has been identified at time of analysis, but a vendor-released patch is available in Mint 1.9.3.

Request Smuggling Code Injection Mint
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Memory exhaustion in elixir-mint's HTTP/2 client library (mint) allows a malicious or attacker-controlled HTTP/2 server to crash any BEAM application using the library by streaming unbounded zero-length CONTINUATION frames that bypass the existing byte-size guard. Affected versions span mint 0.1.0 through 1.9.1; a vendor-released patch is confirmed in 1.9.2. No public exploit or CISA KEV listing exists at time of analysis, but the explicit SSRF and redirect attack vectors meaningfully increase realistic exposure for server-side Elixir applications that proxy user-supplied URLs.

SSRF Denial Of Service Mint
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unbounded memory consumption in the Elixir Mint HTTP client (versions 0.1.0 through 1.9.1) lets a malicious or attacker-influenced HTTP server crash the entire BEAM application acting as the client. The HTTP/1 header and chunked-trailer parsers accumulate every incoming header line into a per-request buffer with no size or count cap, so a server that streams headers forever without sending the terminating blank line drives the client host to out-of-memory death. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor patch (1.9.2) and fix commit are available, and the EPSS/POC signals are unremarked in the source data.

SSRF Denial Of Service Mint
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Uncontrolled memory allocation in the Elixir Mint HTTP client (Mint.HTTP1 module, versions 0.5.0 through 1.9.0) lets a malicious or compromised HTTP server exhaust a client's memory and force an out-of-memory crash. When decoding a chunked response, Mint buffers every byte of the current chunk in an unbounded iolist and withholds it from the caller until the full declared chunk length arrives, so a server that advertises a huge chunk size (e.g. 0x7FFFFFFF ≈ 2 GiB) and then dribbles bytes slowly drives client memory arbitrarily high. This CWE-770 flaw is a denial-of-service only (VA:H, no confidentiality or integrity impact) with no public exploit identified at time of analysis and no CISA KEV listing.

Denial Of Service Mint
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-controlled upstream servers to desynchronize response framing on shared connections by exploiting a non-RFC-compliant Content-Length parser. Mint's parser accepts sign-prefixed integers such as '+0' or '+123' that RFC 7230 forbids, creating a disagreement with RFC-strict fronting proxies about where one HTTP response body ends and the next begins. When Mint reuses connections via keep-alive, pipelining, or pooling across trust boundaries, this parser mismatch can be weaponized to leak bytes from one requester's response into another's stream. No public exploit code has been identified at time of analysis, and no KEV listing exists; a vendor patch (v1.9.0) is available.

Information Disclosure Request Smuggling Mint
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP/2 server to crash the client's BEAM process via a CONTINUATION frame flood. The client's receive path buffers HEADERS and CONTINUATION fragments into an unbounded accumulator because SETTINGS_MAX_HEADER_LIST_SIZE defaulted to :infinity and was only enforced on outbound requests, so a single attacker-controlled endpoint can force unlimited iolist growth until the process dies. No public exploit identified at time of analysis, but a verified upstream patch and detailed advisory exist.

Denial Of Service Mint
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to crash the client process by flooding PUSH_PROMISE frames without follow-up HEADERS, since reserved stream entries bypass the max_concurrent_streams cap. CVSS 4.0 score is 8.2 with attack vector network and high availability impact, but no public exploit is identified at time of analysis and the bug requires the client to connect to a hostile server. Server push is accepted by default (enable_push=true), so any Mint-based HTTP client reaching an attacker-controlled origin is exposed.

Denial Of Service Mint
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

CRLF injection in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through 1.8.x) enables HTTP Request Splitting and HTTP Request Smuggling on shared TCP connections when applications forward attacker-controlled values as the HTTP method or target to Mint.HTTP.request/5. The target-based vector was partially closed in Mint 1.7.0 via validate_request_target/2, but the method field was left unvalidated in all versions prior to 1.9.0, meaning method-based injection remains exploitable under the default Mint configuration. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; the complete fix shipping method-character validation is available in Mint 1.9.0.

RCE Mint
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy