CVE-2026-48598: CWE-116 Improper Encoding or Escaping of Output in elixir-tesla tesla
Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue. This issue affects tesla: from 0.8.0 before 1.18.3.
AI Analysis
Technical Summary
The elixir-tesla tesla library versions 0.8.0 up to but not including 1.18.3 contain a CWE-116 vulnerability where multipart part headers are improperly encoded or escaped. Specifically, Tesla.Multipart.part_headers_for_disposition/1 constructs Content-Disposition headers by interpolating parameters without sanitizing CR (\r), LF (\n), or double-quote characters. This allows an attacker controlling these parameters to inject additional headers or manipulate the multipart message structure. The issue affects parameters passed via Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4, including filenames derived from Path.basename/1 which does not remove CR or LF characters.
Potential Impact
The vulnerability could allow an attacker to inject multipart part headers by including special characters in Content-Disposition parameters, potentially leading to malformed multipart requests or responses. However, the CVSS score of 2.1 and the low severity rating indicate limited impact, with no direct evidence of privilege escalation, remote code execution, or data disclosure. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions before 1.18.3, upgrading to version 1.18.3 or later (if available) is recommended once confirmed. Until then, users should avoid passing untrusted input directly into Content-Disposition parameters or sanitize input to remove CR, LF, and double-quote characters. Monitor vendor communications for an official fix or guidance.
CVE-2026-48598: CWE-116 Improper Encoding or Escaping of Output in elixir-tesla tesla
Description
Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue. This issue affects tesla: from 0.8.0 before 1.18.3.
CVSS v4.0
Score 2.1low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The elixir-tesla tesla library versions 0.8.0 up to but not including 1.18.3 contain a CWE-116 vulnerability where multipart part headers are improperly encoded or escaped. Specifically, Tesla.Multipart.part_headers_for_disposition/1 constructs Content-Disposition headers by interpolating parameters without sanitizing CR (\r), LF (\n), or double-quote characters. This allows an attacker controlling these parameters to inject additional headers or manipulate the multipart message structure. The issue affects parameters passed via Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4, including filenames derived from Path.basename/1 which does not remove CR or LF characters.
Potential Impact
The vulnerability could allow an attacker to inject multipart part headers by including special characters in Content-Disposition parameters, potentially leading to malformed multipart requests or responses. However, the CVSS score of 2.1 and the low severity rating indicate limited impact, with no direct evidence of privilege escalation, remote code execution, or data disclosure. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions before 1.18.3, upgrading to version 1.18.3 or later (if available) is recommended once confirmed. Until then, users should avoid passing untrusted input directly into Content-Disposition parameters or sanitize input to remove CR, LF, and double-quote characters. Monitor vendor communications for an official fix or guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-22T09:36:56.834Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1f3494e29bf47b50fa2543
Added to database: 6/2/2026, 7:52:52 PM
Last enriched: 6/2/2026, 8:04:13 PM
Last updated: 6/3/2026, 4:13:08 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.