CVE-2026-59249: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in elixir-mint mint
Inconsistent interpretation of HTTP requests (HTTP response smuggling) vulnerability in elixir-mint mint allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that share the connection. The Mint.HTTP1.decode_body/5 function in lib/mint/http1.ex parses the chunk-size line of a Transfer-Encoding: chunked response with Integer.parse(data, 16). RFC 7230 defines chunk-size = 1*HEXDIG and forbids any sign prefix, but Integer.parse/2 accepts an optional leading + or -. A chunk-size line of +5 is accepted as a five-byte chunk; lines of +0 and -0 are accepted as the terminating zero-length chunk and end the message body early. An RFC-strict intermediary in the response path rejects these forms, so the intermediary and the Mint client disagree on where one response ends and the next begins. On a pooled keep-alive connection, an attacker-influenced origin can inject bytes that the client attributes to the next legitimate response on the same connection, poisoning the response queue and corrupting the responses returned to unrelated in-flight requests. This issue affects mint: from 0.1.0 before 1.9.3.
AI Analysis
Technical Summary
The vulnerability in elixir-mint mint (CVE-2026-59249) stems from the Mint.HTTP1.decode_body/5 function parsing chunk-size lines in Transfer-Encoding: chunked responses using Integer.parse(data, 16), which accepts optional leading '+' or '-' signs. RFC 7230 forbids such signs in chunk-size values. Consequently, an RFC-strict intermediary rejects chunk-size lines with these signs, while Mint accepts them, causing the client and intermediary to disagree on where one response ends and the next begins. On a pooled keep-alive connection, a malicious HTTP/1 server can exploit this to inject bytes that the Mint client attributes incorrectly to subsequent responses, resulting in response-queue poisoning and corrupted responses for unrelated requests. This affects all mint versions from 0.1.0 up to 1.9.3.
Potential Impact
An attacker controlling an HTTP/1 server can exploit this vulnerability to desynchronize the Mint client and intermediaries, leading to response-queue poisoning on pooled keep-alive connections. This can cause the client to receive corrupted or maliciously altered responses for unrelated requests, potentially impacting data integrity and application behavior relying on these HTTP responses.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using affected versions of mint (0.1.0 through before 1.9.3) in environments where untrusted HTTP/1 servers are present or consider disabling HTTP/1 connection pooling if possible. Monitor vendor communications for updates and apply patches promptly once released.
CVE-2026-59249: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in elixir-mint mint
Description
Inconsistent interpretation of HTTP requests (HTTP response smuggling) vulnerability in elixir-mint mint allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that share the connection. The Mint.HTTP1.decode_body/5 function in lib/mint/http1.ex parses the chunk-size line of a Transfer-Encoding: chunked response with Integer.parse(data, 16). RFC 7230 defines chunk-size = 1*HEXDIG and forbids any sign prefix, but Integer.parse/2 accepts an optional leading + or -. A chunk-size line of +5 is accepted as a five-byte chunk; lines of +0 and -0 are accepted as the terminating zero-length chunk and end the message body early. An RFC-strict intermediary in the response path rejects these forms, so the intermediary and the Mint client disagree on where one response ends and the next begins. On a pooled keep-alive connection, an attacker-influenced origin can inject bytes that the client attributes to the next legitimate response on the same connection, poisoning the response queue and corrupting the responses returned to unrelated in-flight requests. This issue affects mint: from 0.1.0 before 1.9.3.
CVSS v4.0
Score 6.3medium
Affected software
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in elixir-mint mint (CVE-2026-59249) stems from the Mint.HTTP1.decode_body/5 function parsing chunk-size lines in Transfer-Encoding: chunked responses using Integer.parse(data, 16), which accepts optional leading '+' or '-' signs. RFC 7230 forbids such signs in chunk-size values. Consequently, an RFC-strict intermediary rejects chunk-size lines with these signs, while Mint accepts them, causing the client and intermediary to disagree on where one response ends and the next begins. On a pooled keep-alive connection, a malicious HTTP/1 server can exploit this to inject bytes that the Mint client attributes incorrectly to subsequent responses, resulting in response-queue poisoning and corrupted responses for unrelated requests. This affects all mint versions from 0.1.0 up to 1.9.3.
Potential Impact
An attacker controlling an HTTP/1 server can exploit this vulnerability to desynchronize the Mint client and intermediaries, leading to response-queue poisoning on pooled keep-alive connections. This can cause the client to receive corrupted or maliciously altered responses for unrelated requests, potentially impacting data integrity and application behavior relying on these HTTP responses.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using affected versions of mint (0.1.0 through before 1.9.3) in environments where untrusted HTTP/1 servers are present or consider disabling HTTP/1 connection pooling if possible. Monitor vendor communications for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-07-04T04:24:03.652Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a58cc1568715ace43ff8f5f
Added to database: 07/16/2026, 12:18:29 UTC
Last enriched: 07/16/2026, 12:32:29 UTC
Last updated: 07/17/2026, 00:10:20 UTC
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.