CVE-2026-48861: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') in elixir-mint mint
CVE-2026-48861 is a CRLF injection vulnerability in the elixir-mint Mint HTTP client library. The vulnerability arises because the encode_request_line/2 function inserts user-supplied HTTP method and target values directly into the HTTP/1 request line without validating for control characters. This allows an attacker to inject CRLF sequences, enabling HTTP request splitting and request smuggling attacks. While Mint 1. 7. 0 added validation to reject CRLF in the target by default, the HTTP method field remains unvalidated, leaving method-based injection exploitable in all affected versions before 1. 9. 0. The vulnerability affects versions from 0. 1.
AI Analysis
Technical Summary
The elixir-mint Mint library versions 0.1.0 through before 1.9.0 contain a CRLF injection vulnerability (CWE-93) in the encode_request_line/2 function. This function constructs the HTTP/1 request line by concatenating the HTTP method and target parameters without validating for CRLF or other control characters. As a result, an attacker controlling these inputs can prematurely terminate the request line, inject arbitrary HTTP headers, and smuggle additional HTTP requests on the same TCP connection. Mint 1.7.0 introduced validation for the target parameter to reject CRLF and control characters by default, but the HTTP method parameter remains unvalidated, leaving the vulnerability exploitable via the method field. This vulnerability enables HTTP request splitting and request smuggling attacks. The issue affects all Mint versions from 0.1.0 before 1.9.0. No official patch or fix is currently documented in the vendor advisory or patch links.
Potential Impact
An attacker who can supply the HTTP method or target parameters to Mint.HTTP.request/5 can exploit this vulnerability to perform HTTP request splitting and HTTP request smuggling. This can lead to injection of arbitrary HTTP headers and the smuggling of additional HTTP requests on the same TCP connection. Such attacks may allow bypassing security controls, cache poisoning, or other HTTP-level manipulations. However, the CVSS score of 2.1 and the low severity rating indicate limited impact or exploitability in typical scenarios.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Mint 1.7.0 and later versions include validation that rejects CRLF and control characters in the target parameter by default, which mitigates injection via the target but not via the HTTP method. Until an official fix is released, users should avoid passing untrusted input as the HTTP method parameter or implement additional validation to reject CRLF/control characters in the method field. Monitor vendor communications for updates regarding an official fix or recommended mitigations.
CVE-2026-48861: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') in elixir-mint mint
Description
CVE-2026-48861 is a CRLF injection vulnerability in the elixir-mint Mint HTTP client library. The vulnerability arises because the encode_request_line/2 function inserts user-supplied HTTP method and target values directly into the HTTP/1 request line without validating for control characters. This allows an attacker to inject CRLF sequences, enabling HTTP request splitting and request smuggling attacks. While Mint 1. 7. 0 added validation to reject CRLF in the target by default, the HTTP method field remains unvalidated, leaving method-based injection exploitable in all affected versions before 1. 9. 0. The vulnerability affects versions from 0. 1.
CVSS v4.0
Score 2.1low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The elixir-mint Mint library versions 0.1.0 through before 1.9.0 contain a CRLF injection vulnerability (CWE-93) in the encode_request_line/2 function. This function constructs the HTTP/1 request line by concatenating the HTTP method and target parameters without validating for CRLF or other control characters. As a result, an attacker controlling these inputs can prematurely terminate the request line, inject arbitrary HTTP headers, and smuggle additional HTTP requests on the same TCP connection. Mint 1.7.0 introduced validation for the target parameter to reject CRLF and control characters by default, but the HTTP method parameter remains unvalidated, leaving the vulnerability exploitable via the method field. This vulnerability enables HTTP request splitting and request smuggling attacks. The issue affects all Mint versions from 0.1.0 before 1.9.0. No official patch or fix is currently documented in the vendor advisory or patch links.
Potential Impact
An attacker who can supply the HTTP method or target parameters to Mint.HTTP.request/5 can exploit this vulnerability to perform HTTP request splitting and HTTP request smuggling. This can lead to injection of arbitrary HTTP headers and the smuggling of additional HTTP requests on the same TCP connection. Such attacks may allow bypassing security controls, cache poisoning, or other HTTP-level manipulations. However, the CVSS score of 2.1 and the low severity rating indicate limited impact or exploitability in typical scenarios.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Mint 1.7.0 and later versions include validation that rejects CRLF and control characters in the target parameter by default, which mitigates injection via the target but not via the HTTP method. Until an official fix is released, users should avoid passing untrusted input as the HTTP method parameter or implement additional validation to reject CRLF/control characters in the method field. Monitor vendor communications for updates regarding an official fix or recommended mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-25T20:44:10.697Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1efb6ee29bf47b50db3cbe
Added to database: 6/2/2026, 3:49:02 PM
Last enriched: 6/2/2026, 4:04:26 PM
Last updated: 6/2/2026, 5:14:02 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.