The vulnerability arises from Mint's HTTP/1 Content-Length parser using Integer.parse/1, which accepts optional '+' or '-' prefixes. Although negative lengths are rejected, positive signed values such as '+0' are accepted, violating RFC 7230's requirement that Content-Length must be composed solely of digits without sign characters. A fronting proxy or load balancer enforcing strict header grammar will reject or reframe such headers, while Mint treats them as valid. This mismatch can cause response framing desynchronization on shared connections, enabling an attacker-controlled HTTP/1 server upstream to smuggle responses and leak data across different consumers sharing the same Mint connection. The issue affects Mint versions from 0.1.0 up to but not including 1.9.0.

An attacker controlling an upstream HTTP/1 server can exploit this vulnerability to desynchronize response framing on shared connections used by Mint clients. This can lead to response smuggling, where bytes from one response are incorrectly attributed to another consumer's response stream, potentially leaking sensitive information between different requesters sharing the same connection. The impact is limited to scenarios where Mint connections are reused across trust boundaries and an attacker controls the upstream server. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid sharing Mint HTTP/1 connections across different trust boundaries or requesters. Consider implementing strict validation of Content-Length headers upstream or using alternative HTTP client libraries that strictly enforce RFC 7230 compliance. Monitor vendor channels for updates regarding patches or official mitigations.