Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
95 vulnerabilities
CVE-2026-53423 (GCVE-0-2026-53423)
Vulnerability from cvelistv5 – Published: 2026-06-11 10:44 – Updated: 2026-06-12 04:45
VLAI
Title
Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin
Summary
Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.
The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.
This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/membraneframework/membrane_mp4… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53423.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53423 | related |
| https://github.com/membraneframework/membrane_mp4… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| membraneframework | membrane_mp4_plugin |
Affected:
0.3.0 , < 0.36.7
(semver)
cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:* |
|
| membraneframework | membrane_mp4_plugin |
Affected:
ae4bf04c393aa1562f3df3d33e20bc5cb8130de2 , < 56373d1ddc86968e55fbde795c14eeba24357b57
(git)
cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53423",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T12:09:51.183359Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T12:11:18.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/membraneframework/membrane_mp4_plugin/security/advisories/GHSA-43hj-fxwj-49qw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.Membrane.MP4.Container.Header"
],
"packageName": "membrane_mp4_plugin",
"packageURL": "pkg:hex/membrane_mp4_plugin",
"product": "membrane_mp4_plugin",
"programFiles": [
"lib/membrane_mp4/container/header.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1"
},
{
"name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1"
}
],
"repo": "https://github.com/membraneframework/membrane_mp4_plugin",
"vendor": "membraneframework",
"versions": [
{
"lessThan": "0.36.7",
"status": "affected",
"version": "0.3.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.Membrane.MP4.Container.Header"
],
"packageName": "membraneframework/membrane_mp4_plugin",
"packageURL": "pkg:github/membraneframework/membrane_mp4_plugin",
"product": "membrane_mp4_plugin",
"programFiles": [
"lib/membrane_mp4/container/header.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1"
},
{
"name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1"
}
],
"repo": "https://github.com/membraneframework/membrane_mp4_plugin",
"vendor": "membraneframework",
"versions": [
{
"lessThan": "56373d1ddc86968e55fbde795c14eeba24357b57",
"status": "affected",
"version": "ae4bf04c393aa1562f3df3d33e20bc5cb8130de2",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.36.7",
"versionStartIncluding": "0.3.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u0141ukasz Kita"
},
{
"lang": "en",
"type": "remediation developer",
"value": "\u0141ukasz Kita"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mateusz Front"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.\u003c/p\u003e\u003cp\u003eThe MP4 box header parser converts each 4-byte box name to an atom using \u003ctt\u003eString.to_atom/1\u003c/tt\u003e without validation. \u003ctt\u003e\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1\u003c/tt\u003e in \u003ctt\u003elib/membrane_mp4/container/header.ex\u003c/tt\u003e interns every box name encountered while \u003ctt\u003e\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1\u003c/tt\u003e walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.\u003c/p\u003e\u003cp\u003eThis issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.\n\nThe MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. \u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while \u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.\n\nThis issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T04:45:33.275Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/membraneframework/membrane_mp4_plugin/security/advisories/GHSA-43hj-fxwj-49qw"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53423.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53423"
},
{
"tags": [
"patch"
],
"url": "https://github.com/membraneframework/membrane_mp4_plugin/commit/56373d1ddc86968e55fbde795c14eeba24357b57"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53423",
"datePublished": "2026-06-11T10:44:51.528Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-12T04:45:33.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48856 (GCVE-0-2026-48856)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:41 – Updated: 2026-06-11 04:45
VLAI
Title
httpc leaks Authorization header to cross-origin redirect targets
Summary
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.
The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.
autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.
An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.
This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.
This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48856.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48856 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/688d748d6f7a… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:23:52.053802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:24:02.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpc_response"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/http_client/httpc_response.erl"
],
"programRoutines": [
{
"name": "httpc_response:redirect/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "9.7.1",
"status": "unaffected"
},
{
"at": "9.6.2.2",
"status": "unaffected"
},
{
"at": "9.3.2.6",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpc_response"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/http_client/httpc_response.erl"
],
"programRoutines": [
{
"name": "httpc_response:redirect/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "688d748d6f7a6a06b13b662a1d3de8af97079612",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Konrad Pietrzak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (\u003ctt\u003ehttpc_response\u003c/tt\u003e module) allows Retrieve Embedded Sensitive Data.\u003cp\u003eThe \u003ctt\u003ehttpc\u003c/tt\u003e client forwards the \u003ctt\u003eAuthorization\u003c/tt\u003e and \u003ctt\u003eProxy-Authorization\u003c/tt\u003e request headers to redirect targets without checking whether the redirect crosses an origin boundary. \u003ctt\u003ehttpc_response:redirect/2\u003c/tt\u003e constructs the redirected request by updating only the \u003ctt\u003ehost\u003c/tt\u003e field of the header record; all other fields (including \u003ctt\u003eauthorization\u003c/tt\u003e and \u003ctt\u003eproxy_authorization\u003c/tt\u003e) are copied verbatim. The redirect target host is never compared against the original host.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eautoredirect\u003c/tt\u003e defaults to \u003ctt\u003etrue\u003c/tt\u003e, so this affects all \u003ctt\u003ehttpc\u003c/tt\u003e callers that do not explicitly disable automatic redirects.\u003c/p\u003e\u003cp\u003eAn attacker who controls a server that the victim contacts via \u003ctt\u003ehttpc\u003c/tt\u003e can issue a cross-origin 3xx redirect to a server they also control. The \u003ctt\u003eAuthorization\u003c/tt\u003e header (including Basic credentials derived from URL userinfo via \u003ctt\u003ehttpc_request:handle_user_info/2\u003c/tt\u003e) is forwarded to the redirect target, allowing credential theft. The same applies to the \u003ctt\u003eProxy-Authorization\u003c/tt\u003e header.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_client/httpc_response.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.\u003c/p\u003e"
}
],
"value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.\n\nThe httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.\n\nautoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.\n\nAn attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.\n\nThis vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.\n\nThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:35.836Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48856.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48856"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "httpc leaks Authorization header to cross-origin redirect targets",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eSet \u003ctt\u003e{autoredirect, false}\u003c/tt\u003e in the \u003ctt\u003ehttpc:request/4\u003c/tt\u003e options and handle redirects manually, stripping the \u003ctt\u003eAuthorization\u003c/tt\u003e header when the redirect crosses an origin boundary.\u003c/li\u003e\u003cli\u003eEnsure that \u003ctt\u003ehttpc\u003c/tt\u003e is only used to contact trusted servers that will not issue cross-origin redirects.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary.\n* Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48856",
"datePublished": "2026-06-10T14:41:51.616Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:35.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48860 (GCVE-0-2026-48860)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
Title
Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist
Summary
Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.
The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.
This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.
This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48860.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48860 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/0209a6df65d6… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:23:08.922807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:23:31.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_tls_dist"
],
"packageName": "ssl",
"packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/inet_tls_dist.erl"
],
"programRoutines": [
{
"name": "inet_tls_dist:check_ip/1"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "11.7.2",
"status": "unaffected"
},
{
"at": "11.6.0.2",
"status": "unaffected"
},
{
"at": "11.2.12.9",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "11.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_tls_dist"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssl/src/inet_tls_dist.erl"
],
"programRoutines": [
{
"name": "inet_tls_dist:check_ip/1"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "26.0",
"versionType": "otp"
},
{
"lessThan": "0209a6df65d605552b378273027b3968b35f26b4",
"status": "affected",
"version": "7a08c5507862a7011568506d0c17b1fdef30bee4",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Erlang distribution must be configured to use TLS (\u003ctt\u003einet_tls_dist\u003c/tt\u003e) with the \u003ctt\u003echeck_ip\u003c/tt\u003e option enabled. The default Erlang distribution configuration does not use TLS and is not affected."
}
],
"value": "The Erlang distribution must be configured to use TLS (inet_tls_dist) with the check_ip option enabled. The default Erlang distribution configuration does not use TLS and is not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"versionStartIncluding": "26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lukas Backstr\u00f6m"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Raimo Niskanen"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eReliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003einet_tls_dist:check_ip/1\u003c/tt\u003e function, which enforces a LAN allowlist for Erlang distribution over TLS, calls \u003ctt\u003einet:sockname/1\u003c/tt\u003e instead of \u003ctt\u003einet:peername/1\u003c/tt\u003e to obtain the peer\u0027s IP address. Because \u003ctt\u003einet:sockname/1\u003c/tt\u003e returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including \u003ctt\u003erpc:call/4\u003c/tt\u003e and \u003ctt\u003ecode:load_binary/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/inet_tls_dist.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.\u003c/p\u003e"
}
],
"value": "Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.\n\nThe inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer\u0027s IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.\n\nThis vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.\n\nThis issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1025",
"description": "CWE-1025 Comparison Using Wrong Factors",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:42.753Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-gp7x-mfv6-52cv"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48860.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48860"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/0209a6df65d605552b378273027b3968b35f26b4"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement a custom \u003ctt\u003everify_fun\u003c/tt\u003e SSL option that correctly checks the peer IP address using \u003ctt\u003einet:peername/1\u003c/tt\u003e on the socket."
}
],
"value": "Implement a custom verify_fun SSL option that correctly checks the peer IP address using inet:peername/1 on the socket."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48860",
"datePublished": "2026-06-10T14:35:49.987Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:42.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48855 (GCVE-0-2026-48855)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
Title
SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.
The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.
The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48855.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48855 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/8f4224a0d267… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:22:16.684743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:22:24.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:handle_op/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "6.0.1",
"status": "unaffected"
},
{
"at": "5.5.2.1",
"status": "unaffected"
},
{
"at": "5.2.11.8",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:handle_op/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "8f4224a0d2676b0653d2c71a889a956e8c2c62d6",
"status": "affected",
"version": "08225797f7ef943d0c82a1d9dd6650d94ca2580d",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SFTP subsystem must be enabled on the SSH server and the \u003ctt\u003eroot\u003c/tt\u003e option must be configured in the \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e call. Deployments without the \u003ctt\u003eroot\u003c/tt\u003e option are not affected."
}
],
"value": "The SFTP subsystem must be enabled on the SSH server and the root option must be configured in the ssh_sftpd:subsystem_spec/1 call. Deployments without the root option are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Micha\u0142 W\u0105sowski"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows File Discovery.\u003cp\u003eThe \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e sends the raw result of \u003ctt\u003efile:read_link/2\u003c/tt\u003e to the client without calling \u003ctt\u003echroot_filename/2\u003c/tt\u003e to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to \u003ctt\u003e/\u003c/tt\u003e; \u003ctt\u003essh_sftpd\u003c/tt\u003e resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e returns that absolute path, for example \u003ctt\u003e/data/sftp\u003c/tt\u003e, instead of the chrooted value \u003ctt\u003e/\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.\n\nThe SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.\n\nThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8."
}
],
"impacts": [
{
"capecId": "CAPEC-116",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-116 Excavation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:29.864Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48855.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48855"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/8f4224a0d2676b0653d2c71a889a956e8c2c62d6"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48855",
"datePublished": "2026-06-10T14:35:49.683Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:29.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48858 (GCVE-0-2026-48858)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
Title
ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks
Summary
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.
The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.
The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.
The ftp application is deprecated and scheduled for removal in OTP-30.
This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).
This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48858.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48858 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/2691a806231f… | patch |
| https://github.com/erlang/otp/commit/521bcfa24407… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Erlang | OTP |
Affected:
5.10.4 , < 7.0
(otp)
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* |
|
| Erlang | OTP |
Affected:
1.0 , < *
(otp)
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* |
|
| Erlang | OTP |
Affected:
17.4 , < *
(otp)
Affected: be95772ee1fcfe71045ef070130bea7a910b81e3 , < * (git) cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:20:57.662713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:21:08.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ftp_internal"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ftp/ftp_internal.erl"
],
"programRoutines": [
{
"name": "ftp_internal:handle_ctrl_result/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"lessThan": "7.0",
"status": "affected",
"version": "5.10.4",
"versionType": "otp"
}
]
},
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ftp_internal"
],
"packageName": "ftp",
"packageURL": "pkg:otp/ftp?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ftp_internal.erl"
],
"programRoutines": [
{
"name": "ftp_internal:handle_ctrl_result/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "1.2.6",
"status": "unaffected"
},
{
"at": "1.2.4.1",
"status": "unaffected"
},
{
"at": "1.2.3.1",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ftp_internal"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/ftp/ftp_internal.erl",
"lib/ftp/src/ftp_internal.erl"
],
"programRoutines": [
{
"name": "ftp_internal:handle_ctrl_result/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.4",
"versionType": "otp"
},
{
"changes": [
{
"at": "2691a806231ffd0490a8a9e20500dec0c7e73727",
"status": "unaffected"
},
{
"at": "521bcfa24407ee8cb5614823cf905c37ea3aa605",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "be95772ee1fcfe71045ef070130bea7a910b81e3",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerable path is active under the default configuration: \u003ctt\u003emode=passive\u003c/tt\u003e, \u003ctt\u003eipfamily=inet\u003c/tt\u003e, and \u003ctt\u003eftp_extension=false\u003c/tt\u003e are all defaults for \u003ctt\u003eftp:open/2\u003c/tt\u003e."
}
],
"value": "The vulnerable path is active under the default configuration: mode=passive, ipfamily=inet, and ftp_extension=false are all defaults for ftp:open/2."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"versionStartIncluding": "17.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eServer-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp_internal:handle_ctrl_result/2\u003c/tt\u003e PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to \u003ctt\u003egen_tcp:connect/4\u003c/tt\u003e without validating it against the control connection peer address. The adjacent EPSV handlers correctly call \u003ctt\u003epeername(CSock)\u003c/tt\u003e to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (\u003ctt\u003eftp:ls/1,2\u003c/tt\u003e, \u003ctt\u003eftp:nlist/1,2\u003c/tt\u003e, \u003ctt\u003eftp:recv/2,3\u003c/tt\u003e), data from the redirected target is returned to the caller. On write operations (\u003ctt\u003eftp:send/2,3\u003c/tt\u003e, \u003ctt\u003eftp:append/2,3\u003c/tt\u003e), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\u003c/p\u003e\u003cp\u003eThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp\u003c/tt\u003e application is deprecated and scheduled for removal in OTP-30.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/ftp/ftp_internal.erl\u003c/tt\u003e (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and \u003ctt\u003elib/ftp/src/ftp_internal.erl\u003c/tt\u003e (ftp 1.0 and later, OTP 21.0 and later).\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\n\nThe ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\n\nThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\n\nThe ftp application is deprecated and scheduled for removal in OTP-30.\n\nThis vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).\n\nThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:36.460Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48858.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48858"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/2691a806231ffd0490a8a9e20500dec0c7e73727"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/521bcfa24407ee8cb5614823cf905c37ea3aa605"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pass \u003ctt\u003e{ftp_extension, true}\u003c/tt\u003e to \u003ctt\u003eftp:open/2\u003c/tt\u003e to use EPSV instead of PASV. Alternatively, pass \u003ctt\u003e{mode, active}\u003c/tt\u003e to use active mode, or pass \u003ctt\u003e{ipfamily, inet6}\u003c/tt\u003e to force IPv6, both of which bypass the vulnerable PASV path."
}
],
"value": "Pass {ftp_extension, true} to ftp:open/2 to use EPSV instead of PASV. Alternatively, pass {mode, active} to use active mode, or pass {ipfamily, inet6} to force IPv6, both of which bypass the vulnerable PASV path."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48858",
"datePublished": "2026-06-10T14:35:45.466Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:36.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48859 (GCVE-0-2026-48859)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
Title
SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration
Summary
Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.
When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.
The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability.
This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl.
This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48859.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48859 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/c342092ef4b3… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48859",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:19:16.914933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:19:43.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_auth",
"ssh_options"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_auth.erl",
"src/ssh_options.erl"
],
"programRoutines": [
{
"name": "ssh_auth:check_password/3"
},
{
"name": "ssh_options:get_password_option/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"lessThan": "6.0.1",
"status": "affected",
"version": "6.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_auth",
"ssh_options"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_auth.erl",
"lib/ssh/src/ssh_options.erl"
],
"programRoutines": [
{
"name": "ssh_auth:check_password/3"
},
{
"name": "ssh_options:get_password_option/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"lessThan": "29.0.2",
"status": "affected",
"version": "29.0",
"versionType": "otp"
},
{
"lessThan": "c342092ef4b369bb409d5b71ac8fd83bab74aedf",
"status": "affected",
"version": "032d1bc9491a3975c68faf9bc7776115d6ae3005",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SSH daemon must be configured with the \u003ctt\u003euser_passwords\u003c/tt\u003e or \u003ctt\u003epassword\u003c/tt\u003e option for password authentication. Systems using the \u003ctt\u003epwdfun\u003c/tt\u003e option instead are not affected."
}
],
"value": "The SSH daemon must be configured with the user_passwords or password option for password authentication. Systems using the pwdfun option instead are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zhang Delong"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Micha\u0142 W\u0105sowski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eObservable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.\u003c/p\u003e\u003cp\u003eWhen the SSH daemon is configured with the \u003ctt\u003euser_passwords\u003c/tt\u003e or \u003ctt\u003epassword\u003c/tt\u003e option, \u003ctt\u003essh_auth:check_password/3\u003c/tt\u003e performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the \u003ctt\u003essh_options:get_password_option/2\u003c/tt\u003e path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003euser_passwords\u003c/tt\u003e and \u003ctt\u003epassword\u003c/tt\u003e options are documented as intended for test purposes; the recommended alternative is \u003ctt\u003epwdfun\u003c/tt\u003e, which is not affected by this vulnerability.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_auth.erl\u003c/tt\u003e and \u003ctt\u003elib/ssh/src/ssh_options.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.\u003c/p\u003e"
}
],
"value": "Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.\n\nWhen the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.\n\nThe user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl.\n\nThis issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-116",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-116 Excavation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:32.938Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48859.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48859"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/c342092ef4b369bb409d5b71ac8fd83bab74aedf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use the \u003ctt\u003epwdfun\u003c/tt\u003e option instead of \u003ctt\u003euser_passwords\u003c/tt\u003e for password authentication. The \u003ctt\u003epwdfun\u003c/tt\u003e callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity."
}
],
"value": "Use the pwdfun option instead of user_passwords for password authentication. The pwdfun callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict SSH port access to trusted networks only via firewall rules, reducing the set of potential attackers who can perform timing measurements."
}
],
"value": "Restrict SSH port access to trusted networks only via firewall rules, reducing the set of potential attackers who can perform timing measurements."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48859",
"datePublished": "2026-06-10T14:35:43.553Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:32.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49759 (GCVE-0-2026-49759)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
Title
Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash
Summary
Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.
The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.
A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.
This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49759.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49759 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/3983d4952843… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:18:27.945916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:18:43.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_drv"
],
"packageName": "erts",
"packageURL": "pkg:otp/erts?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"emulator/drivers/common/inet_drv.c"
],
"programRoutines": [
{
"name": "sctp_parse_error_chunk"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "15.2.7.9",
"status": "unaffected"
},
{
"at": "16.4.0.2",
"status": "unaffected"
},
{
"at": "17.0.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "6.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_drv"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"erts/emulator/drivers/common/inet_drv.c"
],
"programRoutines": [
{
"name": "sctp_parse_error_chunk"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "27.3.4.13",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "29.0.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "3983d495284331c121f600a80bac9fcf4e16381e",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SCTP support must be compiled into OTP. A listening SCTP socket must be opened via \u003ctt\u003egen_sctp\u003c/tt\u003e with the default \u003ctt\u003einet\u003c/tt\u003e backend and must be reachable from the attacker\u0027s network. Windows builds are unaffected as SCTP is not supported on Windows."
}
],
"value": "SCTP support must be compiled into OTP. A listening SCTP socket must be opened via gen_sctp with the default inet backend and must be reachable from the attacker\u0027s network. Windows builds are unaffected as SCTP is not supported on Windows."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"versionStartIncluding": "17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zhang Delong"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Raimo Niskanen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stack-based Buffer Overflow vulnerability in Erlang OTP \u003ctt\u003eerts\u003c/tt\u003e (\u003ctt\u003einet_drv\u003c/tt\u003e) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.\u003cp\u003eThe \u003ctt\u003esctp_parse_error_chunk\u003c/tt\u003e function in \u003ctt\u003eerts/emulator/drivers/common/inet_drv.c\u003c/tt\u003e parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated \u003ctt\u003eErlDrvTermData spec[]\u003c/tt\u003e array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.\u003c/p\u003e\u003cp\u003eA crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.\u003c/p\u003e"
}
],
"value": "Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.\n\nThe sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.\n\nA crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.\n\nThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:45.953Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-6f4f-chj5-5g97"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49759.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49759"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/3983d495284331c121f600a80bac9fcf4e16381e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49759",
"datePublished": "2026-06-10T14:35:38.838Z",
"dateReserved": "2026-06-01T13:45:22.449Z",
"dateUpdated": "2026-06-11T04:45:45.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49760 (GCVE-0-2026-49760)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
Title
Stack Buffer Overflow in ei_s_print_term at Very Large Integer
Summary
Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.
This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.
The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.
The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.
This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49760.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49760 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/0bef277b2d39… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:16:14.697009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:16:28.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"erl_interface"
],
"packageName": "erl_interface",
"packageURL": "pkg:otp/erl_interface?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/misc/ei_printterm.c"
],
"programRoutines": [
{
"name": "ei_s_print_term"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.5.2.1",
"status": "unaffected"
},
{
"at": "5.7.0.1",
"status": "unaffected"
},
{
"at": "5.8.1",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.7.16",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"erl_interface"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/erl_interface/src/misc/ei_printterm.c"
],
"programRoutines": [
{
"name": "ei_s_print_term"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "27.3.4.13",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "29.0.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sverker Eriksson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eStack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/erl_interface/src/misc/ei_printterm.c\u003c/tt\u003e and program routine \u003ctt\u003eei_s_print_term\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe C function \u003ctt\u003eei_s_print_term\u003c/tt\u003e uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of \u003ctt\u003e0\u003c/tt\u003e-\u003ctt\u003e9\u003c/tt\u003e and \u003ctt\u003eA\u003c/tt\u003e-\u003ctt\u003eF\u003c/tt\u003e, which limits exploitation to Denial of Service.\u003c/p\u003e\u003cp\u003eThe companion function \u003ctt\u003eei_print_term\u003c/tt\u003e, which prints directly to a \u003ctt\u003eFILE\u003c/tt\u003e instead of a memory buffer, does not contain this bug.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.\u003c/p\u003e"
}
],
"value": "Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.\n\nThis vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.\n\nThe C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.\n\nThe companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.\n\nThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1."
}
],
"impacts": [
{
"capecId": "CAPEC-8",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-8 Buffer Overflow in an API Call"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:57.427Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-xcxj-5pg2-v72j"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49760.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49760"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stack Buffer Overflow in ei_s_print_term at Very Large Integer",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Avoid calling \u003ctt\u003eei_s_print_term\u003c/tt\u003e with untrusted data whose encoded integer representation could exceed 2000 characters."
}
],
"value": "Avoid calling ei_s_print_term with untrusted data whose encoded integer representation could exceed 2000 characters."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49760",
"datePublished": "2026-06-10T14:35:36.804Z",
"dateReserved": "2026-06-01T13:45:22.449Z",
"dateUpdated": "2026-06-11T04:45:57.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49762 (GCVE-0-2026-49762)
Vulnerability from cvelistv5 – Published: 2026-06-09 14:04 – Updated: 2026-06-10 04:43
VLAI
Title
Unbounded integer parsing in the Version module enables CPU and memory exhaustion denial of service
Summary
Uncontrolled Resource Consumption vulnerability in the Elixir standard library's Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion.
The version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required.
This is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata.
This vulnerability is associated with program files lib/version.ex and program routines 'Elixir.Version.Parser':parse_digits/2.
This issue affects Elixir: from 1.5.0 before 1.20.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-lang/elixir/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49762.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49762 | related |
| https://github.com/elixir-lang/elixir/commit/c644… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-lang | elixir |
Affected:
1.5.0 , < 1.20.1
(semver)
cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:* |
|
| elixir-lang | elixir |
Affected:
63e186aea94395897dc4964d82d250130c01ec25 , < c64417d72fd5c7d09e963ca3ac5fa2b140978d9e
(git)
cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:48:56.343391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:49:07.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Version\u0027",
"\u0027Elixir.Version.Parser\u0027"
],
"packageName": "elixir-lang/elixir",
"packageURL": "pkg:otp/elixir?repository_url=https:%2F%2Fgithub.com%2Felixir-lang%2Felixir\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Felixir-lang%2Felixir.git",
"product": "elixir",
"programFiles": [
"lib/version.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Version\u0027:parse/1"
},
{
"name": "\u0027Elixir.Version\u0027:parse!/1"
},
{
"name": "\u0027Elixir.Version\u0027:match?/3"
},
{
"name": "\u0027Elixir.Version\u0027:compare/2"
},
{
"name": "\u0027Elixir.Version\u0027:parse_requirement/1"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:parse_version/2"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:parse_digits/2"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:require_digits/1"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:convert_parts_to_integer/2"
}
],
"repo": "https://github.com/elixir-lang/elixir",
"vendor": "elixir-lang",
"versions": [
{
"lessThan": "1.20.1",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Version\u0027",
"\u0027Elixir.Version.Parser\u0027"
],
"packageName": "elixir-lang/elixir",
"packageURL": "pkg:github/elixir-lang/elixir",
"product": "elixir",
"programFiles": [
"lib/elixir/lib/version.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Version\u0027:parse/1"
},
{
"name": "\u0027Elixir.Version\u0027:parse!/1"
},
{
"name": "\u0027Elixir.Version\u0027:match?/3"
},
{
"name": "\u0027Elixir.Version\u0027:compare/2"
},
{
"name": "\u0027Elixir.Version\u0027:parse_requirement/1"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:parse_version/2"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:parse_digits/2"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:require_digits/1"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:convert_parts_to_integer/2"
}
],
"repo": "https://github.com/elixir-lang/elixir.git",
"vendor": "elixir-lang",
"versions": [
{
"lessThan": "c64417d72fd5c7d09e963ca3ac5fa2b140978d9e",
"status": "affected",
"version": "63e186aea94395897dc4964d82d250130c01ec25",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.20.1",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Eric Meadows-J\u00f6nsson"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in the Elixir standard library\u0027s \u003ctt\u003eVersion\u003c/tt\u003e module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion.\u003c/p\u003e\u003cp\u003eThe version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (\u003ctt\u003eString.to_integer/1\u003c/tt\u003e, i.e. \u003ctt\u003e:erlang.binary_to_integer/1\u003c/tt\u003e) that pins a BEAM scheduler, and a larger component raises an uncaught \u003ctt\u003eSystemLimitError\u003c/tt\u003e that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required.\u003c/p\u003e\u003cp\u003eThis is reachable from the public entry points \u003ctt\u003eVersion.parse/1\u003c/tt\u003e, \u003ctt\u003eVersion.parse!/1\u003c/tt\u003e, \u003ctt\u003eVersion.match?/3\u003c/tt\u003e, \u003ctt\u003eVersion.compare/2\u003c/tt\u003e, and \u003ctt\u003eVersion.parse_requirement/1\u003c/tt\u003e, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/version.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Version.Parser\u0027:parse_digits/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Elixir: from 1.5.0 before 1.20.1.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in the Elixir standard library\u0027s Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion.\n\nThe version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required.\n\nThis is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata.\n\nThis vulnerability is associated with program files lib/version.ex and program routines \u0027Elixir.Version.Parser\u0027:parse_digits/2.\n\nThis issue affects Elixir: from 1.5.0 before 1.20.1."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T04:43:08.517Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-lang/elixir/security/advisories/GHSA-w2h8-8x3g-278p"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49762.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49762"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-lang/elixir/commit/c64417d72fd5c7d09e963ca3ac5fa2b140978d9e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded integer parsing in the Version module enables CPU and memory exhaustion denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49762",
"datePublished": "2026-06-09T14:04:07.405Z",
"dateReserved": "2026-06-01T13:45:22.449Z",
"dateUpdated": "2026-06-10T04:43:08.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43966 (GCVE-0-2026-43966)
Vulnerability from cvelistv5 – Published: 2026-06-08 16:34 – Updated: 2026-06-09 04:38
VLAI
Title
HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2
Summary
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.
cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.
This issue affects cowlib from 2.9.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43966.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43966 | related |
| https://github.com/ninenines/cowboy/commit/f77cb9… | mitigation |
| https://github.com/ninenines/gun/commit/4f35609eb… | mitigation |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T18:37:59.853576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T18:38:08.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_http_struct_hd"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_http_struct_hd.erl"
],
"programRoutines": [
{
"name": "cow_http_struct_hd:escape_string/2"
},
{
"name": "cow_http_struct_hd:bare_item/1"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"status": "affected",
"version": "2.9.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_http_struct_hd"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_http_struct_hd.erl"
],
"programRoutines": [
{
"name": "cow_http_struct_hd:escape_string/2"
},
{
"name": "cow_http_struct_hd:bare_item/1"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"status": "affected",
"version": "a8b793db3d6ffe91d62f81baf41b1dab4cd78fb6",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must pass attacker-controlled data as a string value into \u003ctt\u003ecow_http_struct_hd:item/1\u003c/tt\u003e (or a wrapper that delegates to it). Applications that construct structured-fields header values exclusively from trusted, application-controlled values are not affected.\u003c/p\u003e"
}
],
"value": "The application must pass attacker-controlled data as a string value into cow_http_struct_hd:item/1 (or a wrapper that delegates to it). Applications that construct structured-fields header values exclusively from trusted, application-controlled values are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_http_struct_hd:escape_string/2\u003c/tt\u003e in cowlib only escapes \u003ctt\u003e\\\u003c/tt\u003e and \u003ctt\u003e\"\u003c/tt\u003e, passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20\u20130x7E, excluding \u003ctt\u003e\"\u003c/tt\u003e and \u003ctt\u003e\\\u003c/tt\u003e), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via \u003ctt\u003ecow_http_struct_hd:item/1\u003c/tt\u003e (or a higher-level wrapper such as \u003ctt\u003ecow_http_hd:wt_protocol/1\u003c/tt\u003e) from attacker-controlled input can have \u003ctt\u003e\\r\\n\u003c/tt\u003e injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 2.9.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.\n\ncow_http_struct_hd:escape_string/2 in cowlib only escapes \\ and \", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20\u20130x7E, excluding \" and \\), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \\r\\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.\n\nThis issue affects cowlib from 2.9.0."
}
],
"impacts": [
{
"capecId": "CAPEC-34",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-34 HTTP Response Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T04:38:15.827Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43966.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43966"
},
{
"tags": [
"mitigation"
],
"url": "https://github.com/ninenines/cowboy/commit/f77cb9b5e730e300fffb551db1ba5d1c4ed878ef"
},
{
"tags": [
"mitigation"
],
"url": "https://github.com/ninenines/gun/commit/4f35609eb37109b106a863fc9ba83d7ee64e3e42"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eValidate all values passed into structured-fields header builders (directly via \u003ctt\u003ecow_http_struct_hd:item/1\u003c/tt\u003e or indirectly via higher-level wrappers) before calling the encoder. Reject any value that is not from a trusted, application-controlled source or that contains CR (\u003ctt\u003e\\r\u003c/tt\u003e) or LF (\u003ctt\u003e\\n\u003c/tt\u003e) bytes.\u003c/p\u003e\u003cp\u003eApplications using cowboy 2.16.0 or later are protected on the server side by the \u003ctt\u003einvalid_response_headers\u003c/tt\u003e option (defaults to \u003ctt\u003eerror_terminate\u003c/tt\u003e), which rejects any outgoing response header value containing CR or LF before it reaches the wire. Applications using gun 2.4.0 or later are protected on the client side by the \u003ctt\u003einvalid_request_headers\u003c/tt\u003e request option (defaults to \u003ctt\u003eraise\u003c/tt\u003e), which raises an exception when an outgoing request header value contains CR or LF.\u003c/p\u003e"
}
],
"value": "Validate all values passed into structured-fields header builders (directly via cow_http_struct_hd:item/1 or indirectly via higher-level wrappers) before calling the encoder. Reject any value that is not from a trusted, application-controlled source or that contains CR (\\r) or LF (\\n) bytes.\n\nApplications using cowboy 2.16.0 or later are protected on the server side by the invalid_response_headers option (defaults to error_terminate), which rejects any outgoing response header value containing CR or LF before it reaches the wire. Applications using gun 2.4.0 or later are protected on the client side by the invalid_request_headers request option (defaults to raise), which raises an exception when an outgoing request header value contains CR or LF."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43966",
"datePublished": "2026-06-08T16:34:33.364Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-06-09T04:38:15.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49755 (GCVE-0-2026-49755)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:20 – Updated: 2026-06-08 17:14
VLAI
Title
Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies
Summary
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.
Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.
Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.
This issue affects req: from 0.1.0 before 0.6.1.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/wojtekmach/req/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49755.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49755 | related |
| https://github.com/wojtekmach/req/commit/84977e5b… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| wojtekmach | req |
Affected:
0.1.0 , < 0.6.1
(semver)
cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:* |
|
| wojtekmach | req |
Affected:
e37753741cbdc725e6aba3d977b380163bfc0ecb , < 84977e5b1a83f26e749d55ad06e3625464af4e8d
(git)
cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49755",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T16:49:57.977214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:50:03.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Req.Steps\u0027"
],
"packageName": "req",
"packageURL": "pkg:hex/req",
"product": "req",
"programFiles": [
"lib/req/steps.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Req.Steps\u0027:decode_body/1"
},
{
"name": "\u0027Elixir.Req.Steps\u0027:decompress_body/1"
}
],
"repo": "https://github.com/wojtekmach/req",
"vendor": "wojtekmach",
"versions": [
{
"lessThan": "0.6.1",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Req.Steps\u0027"
],
"packageName": "wojtekmach/req",
"packageURL": "pkg:github/wojtekmach/req",
"product": "req",
"programFiles": [
"lib/req/steps.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Req.Steps\u0027:decode_body/1"
},
{
"name": "\u0027Elixir.Req.Steps\u0027:decompress_body/1"
}
],
"repo": "https://github.com/wojtekmach/req.git",
"vendor": "wojtekmach",
"versions": [
{
"lessThan": "84977e5b1a83f26e749d55ad06e3625464af4e8d",
"status": "affected",
"version": "e37753741cbdc725e6aba3d977b380163bfc0ecb",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.6.1",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Wojtek Mach"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.\u003cp\u003eReq\u0027s default response pipeline includes \u003ctt\u003e\u0027Elixir.Req.Steps\u0027:decode_body/1\u003c/tt\u003e and \u003ctt\u003e\u0027Elixir.Req.Steps\u0027:decompress_body/1\u003c/tt\u003e in \u003ctt\u003elib/req/steps.ex\u003c/tt\u003e. \u003ctt\u003edecode_body/1\u003c/tt\u003e dispatches on the server-supplied \u003ctt\u003econtent-type\u003c/tt\u003e (or URL extension) and calls \u003ctt\u003e:zip.extract(body, [:memory])\u003c/tt\u003e for \u003ctt\u003eapplication/zip\u003c/tt\u003e, \u003ctt\u003e:erl_tar.extract({:binary, body}, [:memory])\u003c/tt\u003e for \u003ctt\u003eapplication/x-tar\u003c/tt\u003e, and \u003ctt\u003e:erl_tar.extract({:binary, body}, [:memory, :compressed])\u003c/tt\u003e for \u003ctt\u003eapplication/gzip\u003c/tt\u003e / \u003ctt\u003e.tgz\u003c/tt\u003e. Each returns the full decompressed archive contents as a \u003ctt\u003e[{name, bytes}]\u003c/tt\u003e list in memory, with no per-entry or total size cap. \u003ctt\u003edecompress_body/1\u003c/tt\u003e walks the \u003ctt\u003econtent-encoding\u003c/tt\u003e header and chains \u003ctt\u003e:zlib\u003c/tt\u003e/\u003ctt\u003e:brotli\u003c/tt\u003e/\u003ctt\u003e:ezstd\u003c/tt\u003e decoders, so a response advertising \u003ctt\u003econtent-encoding: gzip, gzip, gzip\u003c/tt\u003e inflates through multiple layers without bound.\u003c/p\u003e\u003cp\u003eBoth steps are enabled by default, no caller opt-in is required, and the attacker controls the \u003ctt\u003econtent-type\u003c/tt\u003e and \u003ctt\u003econtent-encoding\u003c/tt\u003e headers on their own server (or on any host reached via Req\u0027s automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.\u003c/p\u003e\u003cp\u003eThis issue affects req: from 0.1.0 before 0.6.1.\u003c/p\u003e"
}
],
"value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.\n\nReq\u0027s default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.\n\nBoth steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req\u0027s automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.\n\nThis issue affects req: from 0.1.0 before 0.6.1."
}
],
"impacts": [
{
"capecId": "CAPEC-197",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-197 Exponential Data Expansion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T17:14:08.858Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49755.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49755"
},
{
"tags": [
"patch"
],
"url": "https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDisable Req\u0027s automatic body decoding on requests that fetch attacker-influenced URLs by passing \u003ctt\u003edecode_body: false\u003c/tt\u003e to \u003ctt\u003e\u0027Elixir.Req\u0027:new/1\u003c/tt\u003e / \u003ctt\u003e\u0027Elixir.Req\u0027:get!/1\u003c/tt\u003e. To also skip the \u003ctt\u003econtent-encoding\u003c/tt\u003e decompression pipeline, pass \u003ctt\u003eraw: true\u003c/tt\u003e. Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression.\u003c/p\u003e"
}
],
"value": "Disable Req\u0027s automatic body decoding on requests that fetch attacker-influenced URLs by passing decode_body: false to Req.new/1 / Req.get!/1. To also skip the content-encoding decompression pipeline, pass raw: true. Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49755",
"datePublished": "2026-06-08T15:20:57.415Z",
"dateReserved": "2026-06-01T13:45:22.448Z",
"dateUpdated": "2026-06-08T17:14:08.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49756 (GCVE-0-2026-49756)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:20 – Updated: 2026-06-08 16:34
VLAI
Title
Multipart form-data header injection in Req via unescaped name/filename/content_type
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.
Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing.
This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.
This issue affects req: from 0.5.3 before 0.6.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/wojtekmach/req/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49756.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49756 | related |
| https://github.com/wojtekmach/req/commit/74506ff2… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| wojtekmach | req |
Affected:
0.5.3 , < 0.6.0
(semver)
cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:* |
|
| wojtekmach | req |
Affected:
60253dbe9436cb8e9c738f895032f2e87939b597 , < 74506ff2c5addf74df85d79dc726e9b2e264a8ba
(git)
cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49756",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T16:05:54.070488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:05:58.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Req.Utils\u0027"
],
"packageName": "req",
"packageURL": "pkg:hex/req",
"product": "req",
"programFiles": [
"lib/req/utils.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Req.Utils\u0027:encode_form_part/2"
}
],
"repo": "https://github.com/wojtekmach/req",
"vendor": "wojtekmach",
"versions": [
{
"lessThan": "0.6.0",
"status": "affected",
"version": "0.5.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Req.Utils\u0027"
],
"packageName": "wojtekmach/req",
"packageURL": "pkg:github/wojtekmach/req",
"product": "req",
"programFiles": [
"lib/req/utils.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Req.Utils\u0027:encode_form_part/2"
}
],
"repo": "https://github.com/wojtekmach/req.git",
"vendor": "wojtekmach",
"versions": [
{
"lessThan": "74506ff2c5addf74df85d79dc726e9b2e264a8ba",
"status": "affected",
"version": "60253dbe9436cb8e9c738f895032f2e87939b597",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.6.0",
"versionStartIncluding": "0.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Wojtek Mach"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Req.Utils\u0027:encode_form_part/2\u003c/tt\u003e in \u003ctt\u003elib/req/utils.ex\u003c/tt\u003e builds the per-part headers by interpolating the caller-supplied \u003ctt\u003ename\u003c/tt\u003e, \u003ctt\u003efilename\u003c/tt\u003e, and \u003ctt\u003econtent_type\u003c/tt\u003e values directly into the \u003ctt\u003econtent-disposition\u003c/tt\u003e and \u003ctt\u003econtent-type\u003c/tt\u003e lines with no escaping or CRLF stripping. A value containing \u003ctt\u003e\"\u003c/tt\u003e, \u003ctt\u003e\\r\u003c/tt\u003e, or \u003ctt\u003e\\n\u003c/tt\u003e closes the surrounding quoted value and starts a new header line; an additional \u003ctt\u003e\\r\\n--\u0026lt;boundary\u0026gt;\u003c/tt\u003e terminates the current part and prepends a smuggled part of the attacker\u0027s choosing.\u003c/p\u003e\u003cp\u003eThis is reachable through every supported way of supplying a part. It is particularly easy when \u003ctt\u003evalue\u003c/tt\u003e is a \u003ctt\u003e%File.Stream{}\u003c/tt\u003e, because \u003ctt\u003efilename\u003c/tt\u003e then defaults to \u003ctt\u003ePath.basename(stream.path)\u003c/tt\u003e and POSIX filenames may legitimately contain \u003ctt\u003e\\r\u003c/tt\u003e and \u003ctt\u003e\\n\u003c/tt\u003e. Any application that forwards user-controlled filenames (or field names / MIME types) through \u003ctt\u003e\u0027Elixir.Req\u0027:post/2\u003c/tt\u003e with \u003ctt\u003eform_multipart:\u003c/tt\u003e lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.\u003c/p\u003e\u003cp\u003eThis issue affects req: from 0.5.3 before 0.6.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.\n\nReq.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing \", \\r, or \\n closes the surrounding quoted value and starts a new header line; an additional \\r\\n--\u003cboundary\u003e terminates the current part and prepends a smuggled part of the attacker\u0027s choosing.\n\nThis is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \\r and \\n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.\n\nThis issue affects req: from 0.5.3 before 0.6.0."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
},
{
"capecId": "CAPEC-105",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-105 HTTP Request Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:34:58.505Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49756.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49756"
},
{
"tags": [
"patch"
],
"url": "https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Multipart form-data header injection in Req via unescaped name/filename/content_type",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSanitize attacker-influenced \u003ctt\u003ename\u003c/tt\u003e, \u003ctt\u003efilename\u003c/tt\u003e, and \u003ctt\u003econtent_type\u003c/tt\u003e values before passing them to \u003ctt\u003e\u0027Elixir.Req\u0027:post/2\u003c/tt\u003e with \u003ctt\u003eform_multipart:\u003c/tt\u003e. At minimum, reject (or strip) any value containing \u003ctt\u003e\\r\u003c/tt\u003e, \u003ctt\u003e\\n\u003c/tt\u003e, or \u003ctt\u003e\"\u003c/tt\u003e. When forwarding uploads, derive \u003ctt\u003efilename\u003c/tt\u003e from a normalised string rather than \u003ctt\u003ePath.basename/1\u003c/tt\u003e on a user-controlled path.\u003c/p\u003e"
}
],
"value": "Sanitize attacker-influenced name, filename, and content_type values before passing them to Req.post/2 with form_multipart:. At minimum, reject (or strip) any value containing \\r, \\n, or \". When forwarding uploads, derive filename from a normalised string rather than Path.basename/1 on a user-controlled path."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49756",
"datePublished": "2026-06-08T15:20:24.035Z",
"dateReserved": "2026-06-01T13:45:22.448Z",
"dateUpdated": "2026-06-08T16:34:58.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43973 (GCVE-0-2026-43973)
Vulnerability from cvelistv5 – Published: 2026-06-08 14:12 – Updated: 2026-06-08 16:35
VLAI
Title
gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion
Summary
Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering.
In gun_http:handle/5, three clauses accumulate incoming TCP data into the connection's buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \r\n\r\n header terminator is found; the body_chunked clause appends data whenever cow_http_te:stream_chunked/2 returns a more result indicating an incomplete chunk boundary; and the body_trailer clause appends data until the trailing \r\n\r\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size.
A malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\r\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash.
This issue affects gun: from 1.0.0 before 2.4.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43973.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43973 | related |
| https://github.com/ninenines/gun/commit/f3e7e0568… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43973",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:48:05.292583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:48:12.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http"
],
"packageName": "gun",
"packageURL": "pkg:hex/gun",
"product": "gun",
"programFiles": [
"src/gun_http.erl"
],
"programRoutines": [
{
"name": "gun_http:handle/5"
}
],
"repo": "https://github.com/ninenines/gun",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http"
],
"packageName": "ninenines/gun",
"packageURL": "pkg:github/ninenines/gun",
"product": "gun",
"programFiles": [
"src/gun_http.erl"
],
"programRoutines": [
{
"name": "gun_http:handle/5"
}
],
"repo": "https://github.com/ninenines/gun.git",
"vendor": "ninenines",
"versions": [
{
"lessThan": "f3e7e0568b3c4cf9fa4bea79d5116e67ce76ad25",
"status": "affected",
"version": "11dfe71f4b9aedaaedea2ad3b2f32fd006a8480f",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Resource Consumption vulnerability in ninenines gun (\u003ctt\u003egun_http\u003c/tt\u003e module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering.\u003cp\u003eIn \u003ctt\u003egun_http:handle/5\u003c/tt\u003e, three clauses accumulate incoming TCP data into the connection\u0027s \u003ctt\u003ebuffer\u003c/tt\u003e field using binary concatenation with no upper-bound check: the \u003ctt\u003ehead\u003c/tt\u003e clause appends data until the \u003ctt\u003e\\r\\n\\r\\n\u003c/tt\u003e header terminator is found; the \u003ctt\u003ebody_chunked\u003c/tt\u003e clause appends data whenever \u003ctt\u003ecow_http_te:stream_chunked/2\u003c/tt\u003e returns a \u003ctt\u003emore\u003c/tt\u003e result indicating an incomplete chunk boundary; and the \u003ctt\u003ebody_trailer\u003c/tt\u003e clause appends data until the trailing \u003ctt\u003e\\r\\n\\r\\n\u003c/tt\u003e is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size.\u003c/p\u003e\u003cp\u003eA malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with \u003ctt\u003eHTTP/1.1 200 OK\\r\\nX-Pad: \u003c/tt\u003e followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash.\u003c/p\u003e\u003cp\u003eThis issue affects gun: from 1.0.0 before 2.4.0.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering.\n\nIn gun_http:handle/5, three clauses accumulate incoming TCP data into the connection\u0027s buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \\r\\n\\r\\n header terminator is found; the body_chunked clause appends data whenever cow_http_te:stream_chunked/2 returns a more result indicating an incomplete chunk boundary; and the body_trailer clause appends data until the trailing \\r\\n\\r\\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size.\n\nA malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\\r\\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash.\n\nThis issue affects gun: from 1.0.0 before 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:35:01.405Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43973.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43973"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/gun/commit/f3e7e0568b3c4cf9fa4bea79d5116e67ce76ad25"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43973",
"datePublished": "2026-06-08T14:12:42.128Z",
"dateReserved": "2026-05-04T18:23:25.574Z",
"dateUpdated": "2026-06-08T16:35:01.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43972 (GCVE-0-2026-43972)
Vulnerability from cvelistv5 – Published: 2026-06-08 14:12 – Updated: 2026-06-08 16:34
VLAI
Title
gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection
Summary
Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority.
In gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.
A malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.
This issue affects gun: from 2.0.0 before 2.4.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43972.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43972 | related |
| https://github.com/ninenines/gun/commit/567863ff5… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:42:59.352280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:43:06.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http2"
],
"packageName": "gun",
"packageURL": "pkg:hex/gun",
"product": "gun",
"programFiles": [
"src/gun_http2.erl"
],
"programRoutines": [
{
"name": "gun_http2:push_promise_frame/7"
},
{
"name": "gun_http2:headers_frame/9"
}
],
"repo": "https://github.com/ninenines/gun",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http2"
],
"packageName": "ninenines/gun",
"packageURL": "pkg:github/ninenines/gun",
"product": "gun",
"programFiles": [
"src/gun_http2.erl"
],
"programRoutines": [
{
"name": "gun_http2:push_promise_frame/7"
},
{
"name": "gun_http2:headers_frame/9"
}
],
"repo": "https://github.com/ninenines/gun.git",
"vendor": "ninenines",
"versions": [
{
"lessThan": "567863ff53802fed21c3b3f25812db7f7ae29676",
"status": "affected",
"version": "871989eef53663285c165fdfb83a5918ebe00d41",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerability is exploitable only when gun is configured with a \u003ctt\u003ecookie_store\u003c/tt\u003e and connects to an HTTP/2 server with server push enabled.\u003c/p\u003e"
}
],
"value": "The vulnerability is exploitable only when gun is configured with a cookie_store and connects to an HTTP/2 server with server push enabled."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Origin Validation Error vulnerability in ninenines gun (\u003ctt\u003egun_http2\u003c/tt\u003e module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority.\u003cp\u003eIn \u003ctt\u003egun_http2:push_promise_frame/7\u003c/tt\u003e, the \u003ctt\u003e:authority\u003c/tt\u003e pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection\u0027s origin. When \u003ctt\u003egun_http2:headers_frame/9\u003c/tt\u003e later processes the response headers for the promised stream, it calls \u003ctt\u003egun_cookies:set_cookie_header/7\u003c/tt\u003e with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 \u00a710.6 / RFC 9113 \u00a78.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.\u003c/p\u003e\u003cp\u003eA malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client\u0027s shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.\u003c/p\u003e\u003cp\u003eThis issue affects gun: from 2.0.0 before 2.4.0.\u003c/p\u003e"
}
],
"value": "Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority.\n\nIn gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection\u0027s origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 \u00a710.6 / RFC 9113 \u00a78.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.\n\nA malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client\u0027s shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.\n\nThis issue affects gun: from 2.0.0 before 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:34:45.350Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43972.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43972"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/gun/commit/567863ff53802fed21c3b3f25812db7f7ae29676"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43972",
"datePublished": "2026-06-08T14:12:38.780Z",
"dateReserved": "2026-05-04T18:23:25.574Z",
"dateUpdated": "2026-06-08T16:34:45.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43974 (GCVE-0-2026-43974)
Vulnerability from cvelistv5 – Published: 2026-06-08 14:12 – Updated: 2026-06-08 16:34
VLAI
Title
gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM
Summary
Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.
In gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode.
A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.
This issue affects gun: from 2.0.0 before 2.4.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-841 - Improper Enforcement of Behavioral Workflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43974.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43974 | related |
| https://github.com/ninenines/gun/commit/5b48068c2… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43974",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T15:41:42.657559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:41:49.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http"
],
"packageName": "gun",
"packageURL": "pkg:hex/gun",
"product": "gun",
"programFiles": [
"src/gun_http.erl"
],
"programRoutines": [
{
"name": "gun_http:handle_inform/8"
}
],
"repo": "https://github.com/ninenines/gun",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"gun_http"
],
"packageName": "ninenines/gun",
"packageURL": "pkg:github/ninenines/gun",
"product": "gun",
"programFiles": [
"src/gun_http.erl"
],
"programRoutines": [
{
"name": "gun_http:handle_inform/8"
}
],
"repo": "https://github.com/ninenines/gun.git",
"vendor": "ninenines",
"versions": [
{
"lessThan": "5b48068c29ce5e112cb149b5857c7d4dc319a81b",
"status": "affected",
"version": "a3c2edbb8c807717e2f10520c6cf1e77a62eab2e",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unexpected Status Code or Return Value vulnerability in ninenines gun (\u003ctt\u003egun_http\u003c/tt\u003e module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.\u003cp\u003eIn \u003ctt\u003egun_http:handle_inform/8\u003c/tt\u003e, when a \u003ctt\u003e101 Switching Protocols\u003c/tt\u003e response is received over HTTP/1.1, the function verifies only that the \u003ctt\u003eUpgrade\u003c/tt\u003e header is syntactically valid and that the stream reference is a plain \u003ctt\u003ereference()\u003c/tt\u003e. It does not check whether the client ever sent an \u003ctt\u003eUpgrade\u003c/tt\u003e or \u003ctt\u003eConnection: upgrade\u003c/tt\u003e header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a \u003ctt\u003egun_upgrade\u003c/tt\u003e message to the caller and transition the entire connection to raw protocol mode.\u003c/p\u003e\u003cp\u003eA malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, \u003ctt\u003egun_raw\u003c/tt\u003e applies no flow control (\u003ctt\u003eflow=infinity\u003c/tt\u003e) and re-arms socket \u003ctt\u003eactive\u003c/tt\u003e mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded \u003ctt\u003egun_data\u003c/tt\u003e messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.\u003c/p\u003e\u003cp\u003eThis issue affects gun: from 2.0.0 before 2.4.0.\u003c/p\u003e"
}
],
"value": "Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.\n\nIn gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode.\n\nA malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.\n\nThis issue affects gun: from 2.0.0 before 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-220",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-220 Client-Server Protocol Manipulation"
}
]
},
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841 Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:34:38.989Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43974.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43974"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/gun/commit/5b48068c29ce5e112cb149b5857c7d4dc319a81b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43974",
"datePublished": "2026-06-08T14:12:36.957Z",
"dateReserved": "2026-05-04T18:23:25.574Z",
"dateUpdated": "2026-06-08T16:34:38.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48596 (GCVE-0-2026-48596)
Vulnerability from cvelistv5 – Published: 2026-06-02 19:09 – Updated: 2026-06-04 04:45
VLAI
Title
CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection
Summary
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2.
Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\r) or LF (\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing \r\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected.
This issue affects tesla: from 0.8.0 before 1.18.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-tesla/tesla/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48596.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48596 | related |
| https://github.com/elixir-tesla/tesla/commit/2360… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-tesla | tesla |
Affected:
0.8.0 , < 1.18.3
(semver)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
|
| elixir-tesla | tesla |
Affected:
6ebfdb9abe9c6f119408045b933d82462decd351 , < 23601edac5d22ba9407b427967b5bdbda201aec2
(git)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48596",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:01:48.568462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T13:01:52.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Multipart\u0027"
],
"packageName": "tesla",
"packageURL": "pkg:hex/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/multipart.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_content_type_param/2"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:headers/1"
}
],
"repo": "https://github.com/elixir-tesla/tesla",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "1.18.3",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Multipart\u0027"
],
"packageName": "elixir-tesla/tesla",
"packageURL": "pkg:github/elixir-tesla/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/multipart.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_content_type_param/2"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:headers/1"
}
],
"repo": "https://github.com/elixir-tesla/tesla.git",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "23601edac5d22ba9407b427967b5bdbda201aec2",
"status": "affected",
"version": "6ebfdb9abe9c6f119408045b933d82462decd351",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must pass untrusted input into \u003ctt\u003eTesla.Multipart.add_content_type_param/2\u003c/tt\u003e."
}
],
"value": "The application must pass untrusted input into Tesla.Multipart.add_content_type_param/2."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "0.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yordis Prieto"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in elixir-tesla tesla allows HTTP header injection via \u003ctt\u003eTesla.Multipart.add_content_type_param/2\u003c/tt\u003e.\u003cp\u003e\u003ctt\u003eTesla.Multipart.add_content_type_param/2\u003c/tt\u003e appends caller-supplied strings to the multipart \u003ctt\u003econtent_type_params\u003c/tt\u003e list without validating for CR (\u003ctt\u003e\\r\u003c/tt\u003e) or LF (\u003ctt\u003e\\n\u003c/tt\u003e) characters. \u003ctt\u003eTesla.Multipart.headers/1\u003c/tt\u003e then joins these params verbatim with \u003ctt\u003e\"; \"\u003c/tt\u003e to construct the outgoing \u003ctt\u003eContent-Type\u003c/tt\u003e header value. A param containing \u003ctt\u003e\\r\\n\u003c/tt\u003e splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into \u003ctt\u003eadd_content_type_param/2\u003c/tt\u003e is affected.\u003c/p\u003e\u003cp\u003eThis issue affects tesla: from 0.8.0 before 1.18.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2.\n\nTesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\\r) or LF (\\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with \"; \" to construct the outgoing Content-Type header value. A param containing \\r\\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected.\n\nThis issue affects tesla: from 0.8.0 before 1.18.3."
}
],
"impacts": [
{
"capecId": "CAPEC-105",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-105 HTTP Request Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T04:45:42.210Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48596.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48596"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Validate content-type parameter strings before passing them to \u003ctt\u003eTesla.Multipart.add_content_type_param/2\u003c/tt\u003e, rejecting any value that contains \u003ctt\u003e\\r\u003c/tt\u003e or \u003ctt\u003e\\n\u003c/tt\u003e."
}
],
"value": "Validate content-type parameter strings before passing them to Tesla.Multipart.add_content_type_param/2, rejecting any value that contains \\r or \\n."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48596",
"datePublished": "2026-06-02T19:09:31.615Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-04T04:45:42.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48594 (GCVE-0-2026-48594)
Vulnerability from cvelistv5 – Published: 2026-06-02 19:08 – Updated: 2026-06-04 04:45
VLAI
Title
Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression
Summary
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.
When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.
This issue affects tesla: from 0.6.0 before 1.18.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-tesla/tesla/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48594.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48594 | related |
| https://github.com/elixir-tesla/tesla/commit/340f… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-tesla | tesla |
Affected:
0.6.0 , < 1.18.3
(semver)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
|
| elixir-tesla | tesla |
Affected:
5bd90bb5cf0d15e375edc2a66fa322292940fce2 , < 340f75b5d191dc747ef7ac6365bd002d1cd55a9d
(git)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T14:39:48.594599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:39:54.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Middleware.Compression\u0027",
"\u0027Elixir.Tesla.Middleware.DecompressResponse\u0027"
],
"packageName": "tesla",
"packageURL": "pkg:hex/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/middleware/compression.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Middleware.DecompressResponse\u0027:call/3"
},
{
"name": "\u0027Elixir.Tesla.Middleware.Compression\u0027:call/3"
}
],
"repo": "https://github.com/elixir-tesla/tesla",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "1.18.3",
"status": "affected",
"version": "0.6.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Middleware.Compression\u0027",
"\u0027Elixir.Tesla.Middleware.DecompressResponse\u0027"
],
"packageName": "elixir-tesla/tesla",
"packageURL": "pkg:github/elixir-tesla/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/middleware/compression.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Middleware.DecompressResponse\u0027:call/3"
},
{
"name": "\u0027Elixir.Tesla.Middleware.Compression\u0027:call/3"
}
],
"repo": "https://github.com/elixir-tesla/tesla.git",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "340f75b5d191dc747ef7ac6365bd002d1cd55a9d",
"status": "affected",
"version": "5bd90bb5cf0d15e375edc2a66fa322292940fce2",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must include \u003ctt\u003eTesla.Middleware.DecompressResponse\u003c/tt\u003e or \u003ctt\u003eTesla.Middleware.Compression\u003c/tt\u003e in its Tesla middleware pipeline."
}
],
"value": "The application must include Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its Tesla middleware pipeline."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "0.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yordis Prieto"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.\u003cp\u003eWhen \u003ctt\u003eTesla.Middleware.DecompressResponse\u003c/tt\u003e or \u003ctt\u003eTesla.Middleware.Compression\u003c/tt\u003e is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The \u003ctt\u003edecompress_body/2\u003c/tt\u003e function in \u003ctt\u003elib/tesla/middleware/compression.ex\u003c/tt\u003e passes the entire response body to \u003ctt\u003e:zlib.gunzip/1\u003c/tt\u003e or \u003ctt\u003e:zlib.unzip/1\u003c/tt\u003e without any cap on the output size. Additionally, \u003ctt\u003ecompression_algorithms/1\u003c/tt\u003e splits the \u003ctt\u003econtent-encoding\u003c/tt\u003e header on commas and \u003ctt\u003edecompress_body/2\u003c/tt\u003e recurses once per token, applying a decompression pass on each iteration. A server advertising \u003ctt\u003econtent-encoding: gzip, gzip, gzip, gzip\u003c/tt\u003e causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.\u003c/p\u003e\u003cp\u003eThis issue affects tesla: from 0.6.0 before 1.18.3.\u003c/p\u003e"
}
],
"value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.\n\nWhen Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.\n\nThis issue affects tesla: from 0.6.0 before 1.18.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T04:45:31.475Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48594.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48594"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48594",
"datePublished": "2026-06-02T19:08:49.596Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-04T04:45:31.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48595 (GCVE-0-2026-48595)
Vulnerability from cvelistv5 – Published: 2026-06-02 19:08 – Updated: 2026-06-04 04:45
VLAI
Title
Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects
Summary
Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.
Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.
This issue affects tesla: from 1.4.0 before 1.18.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-178 - Improper Handling of Case Sensitivity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-tesla/tesla/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48595.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48595 | related |
| https://github.com/elixir-tesla/tesla/commit/db96… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-tesla | tesla |
Affected:
1.4.0 , < 1.18.3
(semver)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
|
| elixir-tesla | tesla |
Affected:
2d937d5813d7cda5cd726f41824985fb655c920f , < db963dba67651b9abd1fc420a1d9679cf6efe182
(git)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48595",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T15:59:45.683092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:59:54.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Middleware.FollowRedirects\u0027"
],
"packageName": "tesla",
"packageURL": "pkg:hex/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/middleware/follow_redirects.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Middleware.FollowRedirects\u0027:call/3"
}
],
"repo": "https://github.com/elixir-tesla/tesla",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "1.18.3",
"status": "affected",
"version": "1.4.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Middleware.FollowRedirects\u0027"
],
"packageName": "elixir-tesla/tesla",
"packageURL": "pkg:github/elixir-tesla/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/middleware/follow_redirects.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Middleware.FollowRedirects\u0027:call/3"
}
],
"repo": "https://github.com/elixir-tesla/tesla.git",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "db963dba67651b9abd1fc420a1d9679cf6efe182",
"status": "affected",
"version": "2d937d5813d7cda5cd726f41824985fb655c920f",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must include \u003ctt\u003eTesla.Middleware.FollowRedirects\u003c/tt\u003e in its Tesla middleware pipeline."
}
],
"value": "The application must include Tesla.Middleware.FollowRedirects in its Tesla middleware pipeline."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "1.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yordis Prieto"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.\u003cp\u003e\u003ctt\u003eTesla.Middleware.FollowRedirects\u003c/tt\u003e strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (\u003ctt\u003e@filter_headers [\"authorization\", \"host\"]\u003c/tt\u003e). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as \u003ctt\u003e{\"Authorization\", \"Bearer \u2026\"}\u003c/tt\u003e (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a \u003ctt\u003eLocation:\u003c/tt\u003e response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other \u003ctt\u003eAuthorization\u003c/tt\u003e material on the cross-origin request.\u003c/p\u003e\u003cp\u003eThis issue affects tesla: from 1.4.0 before 1.18.3.\u003c/p\u003e"
}
],
"value": "Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.\n\nTesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers [\"authorization\", \"host\"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {\"Authorization\", \"Bearer \u2026\"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.\n\nThis issue affects tesla: from 1.4.0 before 1.18.3."
}
],
"impacts": [
{
"capecId": "CAPEC-267",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-267 Leverage Alternate Encoding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178 Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T04:45:31.067Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48595.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48595"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Normalize all header keys to lowercase before passing them to Tesla. Use \u003ctt\u003e\"authorization\"\u003c/tt\u003e instead of \u003ctt\u003e\"Authorization\"\u003c/tt\u003e when setting headers via \u003ctt\u003eTesla.put_header/3\u003c/tt\u003e or \u003ctt\u003eTesla.Middleware.Headers\u003c/tt\u003e."
}
],
"value": "Normalize all header keys to lowercase before passing them to Tesla. Use \"authorization\" instead of \"Authorization\" when setting headers via Tesla.put_header/3 or Tesla.Middleware.Headers."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48595",
"datePublished": "2026-06-02T19:08:48.339Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-04T04:45:31.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48597 (GCVE-0-2026-48597)
Vulnerability from cvelistv5 – Published: 2026-06-02 19:08 – Updated: 2026-06-04 04:45
VLAI
Title
Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint
Summary
Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint.
Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application.
This issue affects tesla: from 1.3.0 before 1.18.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-tesla/tesla/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48597.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48597 | related |
| https://github.com/elixir-tesla/tesla/commit/4699… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-tesla | tesla |
Affected:
1.3.0 , < 1.18.3
(semver)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
|
| elixir-tesla | tesla |
Affected:
ccd0823d4ba37581a37d8f6108f9a81b263237ef , < 4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e
(git)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48597",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T14:44:24.414813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:44:34.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Adapter.Mint\u0027"
],
"packageName": "tesla",
"packageURL": "pkg:hex/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/adapter/mint.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Adapter.Mint\u0027:open_conn/2"
}
],
"repo": "https://github.com/elixir-tesla/tesla",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "1.18.3",
"status": "affected",
"version": "1.3.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Adapter.Mint\u0027"
],
"packageName": "elixir-tesla/tesla",
"packageURL": "pkg:github/elixir-tesla/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/adapter/mint.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Adapter.Mint\u0027:open_conn/2"
}
],
"repo": "https://github.com/elixir-tesla/tesla.git",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e",
"status": "affected",
"version": "ccd0823d4ba37581a37d8f6108f9a81b263237ef",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must use \u003ctt\u003eTesla.Adapter.Mint\u003c/tt\u003e and either expose a feature that forwards attacker-controlled URLs to Tesla, or include \u003ctt\u003eTesla.Middleware.FollowRedirects\u003c/tt\u003e in the middleware pipeline."
}
],
"value": "The application must use Tesla.Adapter.Mint and either expose a feature that forwards attacker-controlled URLs to Tesla, or include Tesla.Middleware.FollowRedirects in the middleware pipeline."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "1.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yordis Prieto"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in \u003ctt\u003eTesla.Adapter.Mint\u003c/tt\u003e.\u003cp\u003e\u003ctt\u003eTesla.Adapter.Mint.open_conn/2\u003c/tt\u003e converts the URL scheme of every outgoing request to a BEAM atom via \u003ctt\u003eString.to_atom(uri.scheme)\u003c/tt\u003e with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request \u2014 either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a \u003ctt\u003eLocation\u003c/tt\u003e header returned by a server when \u003ctt\u003eTesla.Middleware.FollowRedirects\u003c/tt\u003e is in the pipeline \u2014 can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application.\u003c/p\u003e\u003cp\u003eThis issue affects tesla: from 1.3.0 before 1.18.3.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint.\n\nTesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request \u2014 either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline \u2014 can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application.\n\nThis issue affects tesla: from 1.3.0 before 1.18.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T04:45:28.962Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48597.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48597"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48597",
"datePublished": "2026-06-02T19:08:40.203Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-04T04:45:28.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48598 (GCVE-0-2026-48598)
Vulnerability from cvelistv5 – Published: 2026-06-02 19:08 – Updated: 2026-06-04 04:45
VLAI
Title
CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection
Summary
Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.
Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.
This issue affects tesla: from 0.8.0 before 1.18.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-tesla/tesla/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48598.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48598 | related |
| https://github.com/elixir-tesla/tesla/commit/bb1a… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-tesla | tesla |
Affected:
0.8.0 , < 1.18.3
(semver)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
|
| elixir-tesla | tesla |
Affected:
6ebfdb9abe9c6f119408045b933d82462decd351 , < bb1a2c3da2775924d96e3db8e315dcc4d5d2246e
(git)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48598",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T14:58:39.064613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:00:21.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Multipart\u0027"
],
"packageName": "tesla",
"packageURL": "pkg:hex/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/multipart.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:part_headers_for_disposition/1"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_field/4"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_file/3"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_file_content/4"
}
],
"repo": "https://github.com/elixir-tesla/tesla",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "1.18.3",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Multipart\u0027"
],
"packageName": "elixir-tesla/tesla",
"packageURL": "pkg:github/elixir-tesla/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/multipart.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:part_headers_for_disposition/1"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_field/4"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_file/3"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_file_content/4"
}
],
"repo": "https://github.com/elixir-tesla/tesla.git",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "bb1a2c3da2775924d96e3db8e315dcc4d5d2246e",
"status": "affected",
"version": "6ebfdb9abe9c6f119408045b933d82462decd351",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must pass untrusted input into a disposition parameter of \u003ctt\u003eTesla.Multipart.add_field/4\u003c/tt\u003e, \u003ctt\u003eTesla.Multipart.add_file/3\u003c/tt\u003e, or \u003ctt\u003eTesla.Multipart.add_file_content/4\u003c/tt\u003e."
}
],
"value": "The application must pass untrusted input into a disposition parameter of Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "0.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yordis Prieto"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped \u003ctt\u003eContent-Disposition\u003c/tt\u003e parameter values.\u003cp\u003e\u003ctt\u003eTesla.Multipart.part_headers_for_disposition/1\u003c/tt\u003e interpolates each disposition parameter as \u003ctt\u003e#{k}=\"#{v}\"\u003c/tt\u003e with no validation of CR (\u003ctt\u003e\\r\u003c/tt\u003e), LF (\u003ctt\u003e\\n\u003c/tt\u003e), or double-quote characters. The values come verbatim from the caller via \u003ctt\u003eTesla.Multipart.add_field/4\u003c/tt\u003e (the \u003ctt\u003ename\u003c/tt\u003e parameter), \u003ctt\u003eTesla.Multipart.add_file/3\u003c/tt\u003e, and \u003ctt\u003eTesla.Multipart.add_file_content/4\u003c/tt\u003e (both the \u003ctt\u003efilename\u003c/tt\u003e parameter and other disposition opts). A \u003ctt\u003e\"\u003c/tt\u003e in the value closes the quoted parameter early; a \u003ctt\u003e\\r\\n\u003c/tt\u003e ends the \u003ctt\u003eContent-Disposition\u003c/tt\u003e header line and starts a new part header (such as a forged \u003ctt\u003eContent-Type\u003c/tt\u003e), or, after a second \u003ctt\u003e\\r\\n\u003c/tt\u003e, ends the entire part header block and prepends bytes to the part body. The default-filename path in \u003ctt\u003eadd_file/3\u003c/tt\u003e derives the filename via \u003ctt\u003ePath.basename/1\u003c/tt\u003e, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.\u003c/p\u003e\u003cp\u003eThis issue affects tesla: from 0.8.0 before 1.18.3.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.\n\nTesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}=\"#{v}\" with no validation of CR (\\r), LF (\\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A \" in the value closes the quoted parameter early; a \\r\\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \\r\\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.\n\nThis issue affects tesla: from 0.8.0 before 1.18.3."
}
],
"impacts": [
{
"capecId": "CAPEC-105",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-105 HTTP Request Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T04:45:23.895Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48598.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48598"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-tesla/tesla/commit/bb1a2c3da2775924d96e3db8e315dcc4d5d2246e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Validate disposition parameter values before passing them to \u003ctt\u003eTesla.Multipart.add_field/4\u003c/tt\u003e, \u003ctt\u003eTesla.Multipart.add_file/3\u003c/tt\u003e, or \u003ctt\u003eTesla.Multipart.add_file_content/4\u003c/tt\u003e, rejecting any value that contains \u003ctt\u003e\\r\u003c/tt\u003e, \u003ctt\u003e\\n\u003c/tt\u003e, or \u003ctt\u003e\"\u003c/tt\u003e."
}
],
"value": "Validate disposition parameter values before passing them to Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4, rejecting any value that contains \\r, \\n, or \"."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48598",
"datePublished": "2026-06-02T19:08:19.921Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-04T04:45:23.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49753 (GCVE-0-2026-49753)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:15 – Updated: 2026-06-02 19:14
VLAI
Title
HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing
Summary
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections.
Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length >= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted.
A fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer's response stream.
This issue affects mint: from 0.1.0 before 1.9.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-mint/mint/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49753.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49753 | related |
| https://github.com/elixir-mint/mint/commit/47e480… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-mint | mint |
Affected:
0.1.0 , < 1.9.0
(semver)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
|
| elixir-mint | mint |
Affected:
65e0e86d799a6d3b08e4372fccdd9747535e0dd6 , < 47e48027480228e4e32a0b4df39db497b4804921
(git)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49753",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:06:41.525477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:06:51.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-mjqx-c6f6-7rc2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP1.Parse\u0027"
],
"packageName": "mint",
"packageURL": "pkg:hex/mint",
"product": "mint",
"programFiles": [
"lib/mint/http1/parse.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP1.Parse\u0027:content_length_header/1"
}
],
"repo": "https://github.com/elixir-mint/mint",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP1.Parse\u0027"
],
"packageName": "elixir-mint/mint",
"packageURL": "pkg:github/elixir-mint/mint",
"product": "mint",
"programFiles": [
"lib/mint/http1/parse.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP1.Parse\u0027:content_length_header/1"
}
],
"repo": "https://github.com/elixir-mint/mint.git",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "47e48027480228e4e32a0b4df39db497b4804921",
"status": "affected",
"version": "65e0e86d799a6d3b08e4372fccdd9747535e0dd6",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.9.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Eric Meadows-J\u00f6nsson"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections.\u003cp\u003eMint\u0027s HTTP/1 \u003ctt\u003eContent-Length\u003c/tt\u003e parser, \u003ctt\u003e\u0027Elixir.Mint.HTTP1.Parse\u0027:content_length_header/1\u003c/tt\u003e in \u003ctt\u003elib/mint/http1/parse.ex\u003c/tt\u003e, parses the header value with \u003ctt\u003eInteger.parse/1\u003c/tt\u003e, which accepts an optional \u003ctt\u003e+\u003c/tt\u003e or \u003ctt\u003e-\u003c/tt\u003e sign prefix. The \u003ctt\u003elength \u0026gt;= 0\u003c/tt\u003e guard rejects negatives, but inputs such as \u003ctt\u003e+0\u003c/tt\u003e or \u003ctt\u003e+123\u003c/tt\u003e are returned as valid lengths. RFC 7230 specifies \u003ctt\u003eContent-Length = 1*DIGIT\u003c/tt\u003e, with no sign character permitted.\u003c/p\u003e\u003cp\u003eA fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like \u003ctt\u003eContent-Length: +0\u003c/tt\u003e, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer\u0027s response stream.\u003c/p\u003e\u003cp\u003eThis issue affects mint: from 0.1.0 before 1.9.0.\u003c/p\u003e"
}
],
"value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections.\n\nMint\u0027s HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length \u003e= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted.\n\nA fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer\u0027s response stream.\n\nThis issue affects mint: from 0.1.0 before 1.9.0."
}
],
"impacts": [
{
"capecId": "CAPEC-273",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-273 HTTP Response Smuggling"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:42.817Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-mjqx-c6f6-7rc2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49753.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49753"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-mint/mint/commit/47e48027480228e4e32a0b4df39db497b4804921"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49753",
"datePublished": "2026-06-02T14:15:17.078Z",
"dateReserved": "2026-06-01T13:45:22.448Z",
"dateUpdated": "2026-06-02T19:14:42.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49754 (GCVE-0-2026-49754)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:15 – Updated: 2026-06-02 19:14
VLAI
Title
HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation
Summary
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood).
When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity).
A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.
This issue affects mint: from 0.1.0 before 1.9.0.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-mint/mint/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49754.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49754 | related |
| https://github.com/elixir-mint/mint/commit/b662d1… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-mint | mint |
Affected:
0.1.0 , < 1.9.0
(semver)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
|
| elixir-mint | mint |
Affected:
596ca4304504be68939c4929e0831557097962b8 , < b662d127d3028b5426c88d4c9cc7fe430491a10b
(git)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49754",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:08:02.308938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:08:05.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP2\u0027"
],
"packageName": "mint",
"packageURL": "pkg:hex/mint",
"product": "mint",
"programFiles": [
"lib/mint/http2.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP2\u0027:handle_continuation/3"
},
{
"name": "\u0027Elixir.Mint.HTTP2\u0027:handle_headers/3"
}
],
"repo": "https://github.com/elixir-mint/mint",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP2\u0027"
],
"packageName": "elixir-mint/mint",
"packageURL": "pkg:github/elixir-mint/mint",
"product": "mint",
"programFiles": [
"lib/mint/http2.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP2\u0027:handle_continuation/3"
},
{
"name": "\u0027Elixir.Mint.HTTP2\u0027:handle_headers/3"
}
],
"repo": "https://github.com/elixir-mint/mint.git",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "b662d127d3028b5426c88d4c9cc7fe430491a10b",
"status": "affected",
"version": "596ca4304504be68939c4929e0831557097962b8",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.9.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Eric Meadows-J\u00f6nsson"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood).\u003cp\u003eWhen Mint\u0027s HTTP/2 receive path observes a \u003ctt\u003eHEADERS\u003c/tt\u003e frame without the \u003ctt\u003eEND_HEADERS\u003c/tt\u003e flag, the unparsed header-block fragment is parked in \u003ctt\u003econn.headers_being_processed\u003c/tt\u003e, and every subsequent \u003ctt\u003eCONTINUATION\u003c/tt\u003e frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no \u003ctt\u003eCONTINUATION\u003c/tt\u003e frame-count limit, and \u003ctt\u003emax_header_list_size\u003c/tt\u003e is only enforced on outgoing requests, never on inbound header blocks (its default is \u003ctt\u003e:infinity\u003c/tt\u003e).\u003c/p\u003e\u003cp\u003eA malicious or compromised HTTP/2 server can stream an endless sequence of \u003ctt\u003eCONTINUATION\u003c/tt\u003e frames (each up to the peer-advertised \u003ctt\u003eSETTINGS_MAX_FRAME_SIZE\u003c/tt\u003e) and drive the client\u0027s iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.\u003c/p\u003e\u003cp\u003eThis issue affects mint: from 0.1.0 before 1.9.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood).\n\nWhen Mint\u0027s HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity).\n\nA malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client\u0027s iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.\n\nThis issue affects mint: from 0.1.0 before 1.9.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:33.100Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49754.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49754"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-mint/mint/commit/b662d127d3028b5426c88d4c9cc7fe430491a10b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRestrict Mint to HTTP/1 on connections to untrusted servers by passing \u003ctt\u003eprotocols: [:http1]\u003c/tt\u003e to \u003ctt\u003e\u0027Elixir.Mint.HTTP\u0027:connect/4\u003c/tt\u003e. This avoids the vulnerable HTTP/2 receive path entirely, at the cost of losing HTTP/2 for those connections.\u003c/p\u003e"
}
],
"value": "Restrict Mint to HTTP/1 on connections to untrusted servers by passing protocols: [:http1] to Mint.HTTP.connect/4. This avoids the vulnerable HTTP/2 receive path entirely, at the cost of losing HTTP/2 for those connections."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49754",
"datePublished": "2026-06-02T14:15:14.951Z",
"dateReserved": "2026-06-01T13:45:22.448Z",
"dateUpdated": "2026-06-02T19:14:33.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48862 (GCVE-0-2026-48862)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:15 – Updated: 2026-06-02 19:14
VLAI
Title
Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency
Summary
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding.
In lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check.
HTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory.
This issue affects mint: from 0.2.0 before 1.9.0.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-mint/mint/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48862.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48862 | related |
| https://github.com/elixir-mint/mint/commit/70b97b… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-mint | mint |
Affected:
0.2.0 , < 1.9.0
(semver)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
|
| elixir-mint | mint |
Affected:
65c6394d05a1b8aa4a7461708c3aa173e8d7a5cf , < 70b97b6a5209fb288b0e04d8e657dda26c59de67
(git)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48862",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:11:00.524487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:11:05.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP2\u0027"
],
"packageName": "mint",
"packageURL": "pkg:hex/mint",
"product": "mint",
"programFiles": [
"lib/mint/http2.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP2\u0027:handle_push_promise/3"
},
{
"name": "\u0027Elixir.Mint.HTTP2\u0027:decode_push_promise_headers_and_add_response/5"
}
],
"repo": "https://github.com/elixir-mint/mint",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP2\u0027"
],
"packageName": "elixir-mint/mint",
"packageURL": "pkg:github/elixir-mint/mint",
"product": "mint",
"programFiles": [
"lib/mint/http2.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP2\u0027:handle_push_promise/3"
},
{
"name": "\u0027Elixir.Mint.HTTP2\u0027:decode_push_promise_headers_and_add_response/5"
}
],
"repo": "https://github.com/elixir-mint/mint.git",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "70b97b6a5209fb288b0e04d8e657dda26c59de67",
"status": "affected",
"version": "65c6394d05a1b8aa4a7461708c3aa173e8d7a5cf",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.9.0",
"versionStartIncluding": "0.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Eric Meadows-J\u00f6nsson"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding.\u003cp\u003eIn \u003ctt\u003elib/mint/http2.ex\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Mint.HTTP2\u0027:decode_push_promise_headers_and_add_response/5\u003c/tt\u003e inserts a \u003ctt\u003e:reserved_remote\u003c/tt\u003e entry into \u003ctt\u003econn.streams\u003c/tt\u003e for every promised stream ID. The neighbouring \u003ctt\u003e\u0027Elixir.Mint.HTTP2\u0027:assert_valid_promised_stream_id/2\u003c/tt\u003e only verifies that the promised ID is even and not already present; \u003ctt\u003eclient_settings.max_concurrent_streams\u003c/tt\u003e is not consulted at promise time. The concurrency cap is only checked when the response \u003ctt\u003eHEADERS\u003c/tt\u003e for the promised stream arrive, so a server that emits \u003ctt\u003ePUSH_PROMISE\u003c/tt\u003e frames and withholds the matching \u003ctt\u003eHEADERS\u003c/tt\u003e never trips that check.\u003c/p\u003e\u003cp\u003eHTTP/2 server push is accepted by default (\u003ctt\u003eclient_settings.enable_push\u003c/tt\u003e defaults to \u003ctt\u003etrue\u003c/tt\u003e). A single long-lived HTTP/2 connection to a hostile server lets that server pin one \u003ctt\u003econn.streams\u003c/tt\u003e entry per \u003ctt\u003ePUSH_PROMISE\u003c/tt\u003e frame it sends, with no upper bound, until the client process runs out of memory.\u003c/p\u003e\u003cp\u003eThis issue affects mint: from 0.2.0 before 1.9.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding.\n\nIn lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check.\n\nHTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory.\n\nThis issue affects mint: from 0.2.0 before 1.9.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:09.683Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48862.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48862"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-mint/mint/commit/70b97b6a5209fb288b0e04d8e657dda26c59de67"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDisable HTTP/2 server push on connections to untrusted servers by passing \u003ctt\u003eclient_settings: [enable_push: false]\u003c/tt\u003e to \u003ctt\u003e\u0027Elixir.Mint.HTTP\u0027:connect/4\u003c/tt\u003e. This makes Mint reject any inbound \u003ctt\u003ePUSH_PROMISE\u003c/tt\u003e frame with a \u003ctt\u003ePROTOCOL_ERROR\u003c/tt\u003e before the vulnerable code path is reached.\u003c/p\u003e"
}
],
"value": "Disable HTTP/2 server push on connections to untrusted servers by passing client_settings: [enable_push: false] to Mint.HTTP.connect/4. This makes Mint reject any inbound PUSH_PROMISE frame with a PROTOCOL_ERROR before the vulnerable code path is reached."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48862",
"datePublished": "2026-06-02T14:15:10.591Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-02T19:14:09.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48861 (GCVE-0-2026-48861)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:15 – Updated: 2026-06-02 19:14
VLAI
Title
CRLF injection in HTTP/1 request line via unvalidated method in Mint
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling.
In lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\s, target, " HTTP/1.1\r\n"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection.
Mint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions.
This issue affects mint: from 0.1.0 before 1.9.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-mint/mint/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48861.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48861 | related |
| https://github.com/elixir-mint/mint/commit/fad091… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-mint | mint |
Affected:
0.1.0 , < 1.9.0
(semver)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
|
| elixir-mint | mint |
Affected:
8db1acff30b6a9433762c18b1e1f891b8c1f74f7 , < fad091454cbb7449b19edb8e1fee12ca7cf28c3a
(git)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48861",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:11:46.297986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:12:22.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP1.Request\u0027"
],
"packageName": "mint",
"packageURL": "pkg:hex/mint",
"product": "mint",
"programFiles": [
"lib/mint/http1/request.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP1.Request\u0027:encode_request_line/2"
}
],
"repo": "https://github.com/elixir-mint/mint",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP1.Request\u0027"
],
"packageName": "elixir-mint/mint",
"packageURL": "pkg:github/elixir-mint/mint",
"product": "mint",
"programFiles": [
"lib/mint/http1/request.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP1.Request\u0027:encode_request_line/2"
}
],
"repo": "https://github.com/elixir-mint/mint.git",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "fad091454cbb7449b19edb8e1fee12ca7cf28c3a",
"status": "affected",
"version": "8db1acff30b6a9433762c18b1e1f891b8c1f74f7",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.9.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Eric Meadows-J\u00f6nsson"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling.\u003cp\u003eIn \u003ctt\u003elib/mint/http1/request.ex\u003c/tt\u003e, the \u003ctt\u003eencode_request_line/2\u003c/tt\u003e function splices the caller-supplied \u003ctt\u003emethod\u003c/tt\u003e and \u003ctt\u003etarget\u003c/tt\u003e arguments directly into the HTTP/1 request line without any character validation: \u003ctt\u003e[method, ?\\s, target, \" HTTP/1.1\\r\\n\"]\u003c/tt\u003e. An application that forwards attacker-controlled input as the HTTP method or target to \u003ctt\u003e\u0027Elixir.Mint.HTTP\u0027:request/5\u003c/tt\u003e is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection.\u003c/p\u003e\u003cp\u003eMint 1.7.0 introduced \u003ctt\u003evalidate_request_target/2\u003c/tt\u003e, which rejects CRLF and other control characters in the \u003ctt\u003etarget\u003c/tt\u003e by default and closes the path/query vector unless the caller opts out via \u003ctt\u003eskip_target_validation: true\u003c/tt\u003e. The \u003ctt\u003emethod\u003c/tt\u003e field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions.\u003c/p\u003e\u003cp\u003eThis issue affects mint: from 0.1.0 before 1.9.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling.\n\nIn lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\\s, target, \" HTTP/1.1\\r\\n\"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection.\n\nMint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions.\n\nThis issue affects mint: from 0.1.0 before 1.9.0."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
},
{
"capecId": "CAPEC-105",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-105 HTTP Request Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:00.466Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48861.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48861"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CRLF injection in HTTP/1 request line via unvalidated method in Mint",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48861",
"datePublished": "2026-06-02T14:15:09.015Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-02T19:14:00.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42795 (GCVE-0-2026-42795)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:41 – Updated: 2026-06-02 19:14
VLAI
Title
Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root
Summary
Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball.
The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package.
An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.
This issue affects Gleam from 0.10.0-rc1 until 1.17.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gleam-lang/gleam/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-42795.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42795 | related |
| https://github.com/gleam-lang/gleam/commit/6435a5… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gleam | Gleam |
Affected:
0.10.0-rc1 , < 1.17.0
(semver)
cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
0.10.0-rc1 , < 1.17.0
(semver)
Affected: c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c , < 6435a5528b9ae0449e2f32be579641ec485f6866 (git) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
v0.10.0-rc1-elixir , < v1.17.0-elixir
(other)
Affected: v0.10.0-rc1-erlang , < v1.17.0-erlang (other) Affected: v0.10.0-rc1-node , < v1.17.0-node (other) Affected: v0.10.0-rc1-node-slim , < v1.17.0-node-slim (other) Affected: v0.10.0-rc1-elixir-slim , < v1.17.0-elixir-slim (other) Affected: v0.10.0-rc1-erlang-slim , < v1.17.0-erlang-slim (other) Affected: v0.10.0-rc1-erlang-alpine , < v1.17.0-erlang-alpine (other) Affected: v0.10.0-rc1-elixir-alpine , < v1.17.0-elixir-alpine (other) Affected: v0.10.0-rc1-node-alpine , < v1.17.0-node-alpine (other) Affected: v0.10.0-rc1-scratch , < v1.17.0-scratch (other) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42795",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:04:06.195456Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:04:35.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam",
"packageURL": "pkg:sid/gleam.run/gleam",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/fs.rs",
"compiler-cli/src/publish.rs"
],
"programRoutines": [
{
"name": "compiler_cli::fs::gleam_files"
},
{
"name": "compiler_cli::fs::native_files"
},
{
"name": "compiler_cli::fs::private_files"
},
{
"name": "compiler_cli::publish::project_files"
},
{
"name": "compiler_cli::publish::add_path_to_tar"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.10.0-rc1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:github/gleam-lang/gleam",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/fs.rs",
"compiler-cli/src/publish.rs"
],
"programRoutines": [
{
"name": "compiler_cli::fs::gleam_files"
},
{
"name": "compiler_cli::fs::native_files"
},
{
"name": "compiler_cli::fs::private_files"
},
{
"name": "compiler_cli::publish::project_files"
},
{
"name": "compiler_cli::publish::add_path_to_tar"
}
],
"repo": "https://github.com/gleam-lang/gleam",
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.10.0-rc1",
"versionType": "semver"
},
{
"lessThan": "6435a5528b9ae0449e2f32be579641ec485f6866",
"status": "affected",
"version": "c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c",
"versionType": "git"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/fs.rs",
"compiler-cli/src/publish.rs"
],
"programRoutines": [
{
"name": "compiler_cli::fs::gleam_files"
},
{
"name": "compiler_cli::fs::native_files"
},
{
"name": "compiler_cli::fs::private_files"
},
{
"name": "compiler_cli::publish::project_files"
},
{
"name": "compiler_cli::publish::add_path_to_tar"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "v1.17.0-elixir",
"status": "affected",
"version": "v0.10.0-rc1-elixir",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang",
"status": "affected",
"version": "v0.10.0-rc1-erlang",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node",
"status": "affected",
"version": "v0.10.0-rc1-node",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-slim",
"status": "affected",
"version": "v0.10.0-rc1-node-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-slim",
"status": "affected",
"version": "v0.10.0-rc1-elixir-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-slim",
"status": "affected",
"version": "v0.10.0-rc1-erlang-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-alpine",
"status": "affected",
"version": "v0.10.0-rc1-erlang-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-alpine",
"status": "affected",
"version": "v0.10.0-rc1-elixir-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-alpine",
"status": "affected",
"version": "v0.10.0-rc1-node-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-scratch",
"status": "affected",
"version": "v0.10.0-rc1-scratch",
"versionType": "other"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.0",
"versionStartIncluding": "0.10.0-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aly (spect3r1)"
},
{
"lang": "en",
"type": "finder",
"value": "Abdelrahman Ahmed Aboelkasem (0x2face)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Louis Pilfold"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSymlink following vulnerability in Gleam\u0027s Hex package export allows files outside the project root to be embedded in the generated package tarball.\u003c/p\u003e\u003cp\u003eThe file collection helpers (\u003ctt\u003egleam_files\u003c/tt\u003e, \u003ctt\u003enative_files\u003c/tt\u003e, \u003ctt\u003eprivate_files\u003c/tt\u003e) in \u003ctt\u003ecompiler-cli/src/fs.rs\u003c/tt\u003e use \u003ctt\u003efollow_links(true)\u003c/tt\u003e when walking publishable directories such as \u003ctt\u003esrc/\u003c/tt\u003e and \u003ctt\u003epriv/\u003c/tt\u003e. The collected paths are added to the package archive via \u003ctt\u003eadd_path_to_tar\u003c/tt\u003e in \u003ctt\u003ecompiler-cli/src/publish.rs\u003c/tt\u003e without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e or \u003ctt\u003egleam publish\u003c/tt\u003e to embed the contents of the symlink target into the generated Hex package.\u003c/p\u003e\u003cp\u003eAn attacker with write access to the project repository can place a symlink in \u003ctt\u003esrc/\u003c/tt\u003e or \u003ctt\u003epriv/\u003c/tt\u003e pointing to an arbitrary file. When a maintainer or CI pipeline runs \u003ctt\u003egleam publish\u003c/tt\u003e or \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.\u003c/p\u003e\u003cp\u003eThis issue affects Gleam from 0.10.0-rc1 until 1.17.0.\u003c/p\u003e"
}
],
"value": "Symlink following vulnerability in Gleam\u0027s Hex package export allows files outside the project root to be embedded in the generated package tarball.\n\nThe file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package.\n\nAn attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.\n\nThis issue affects Gleam from 0.10.0-rc1 until 1.17.0."
}
],
"impacts": [
{
"capecId": "CAPEC-132",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-132 Symlink Attack"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:25.176Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42795.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42795"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/6435a5528b9ae0449e2f32be579641ec485f6866"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eAvoid running \u003ctt\u003egleam publish\u003c/tt\u003e or \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e on untrusted projects\u003c/li\u003e\u003cli\u003eReview the contents of \u003ctt\u003esrc/\u003c/tt\u003e and \u003ctt\u003epriv/\u003c/tt\u003e for unexpected symlinks before publishing\u003c/li\u003e\u003cli\u003eRun publishing commands in a restricted or isolated environment (e.g. containers)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Avoid running gleam publish or gleam export hex-tarball on untrusted projects\n* Review the contents of src/ and priv/ for unexpected symlinks before publishing\n* Run publishing commands in a restricted or isolated environment (e.g. containers)"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42795",
"datePublished": "2026-06-02T13:41:39.527Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-06-02T19:14:25.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32685 (GCVE-0-2026-32685)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:41 – Updated: 2026-06-02 19:14
VLAI
Title
Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and Write
Summary
Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory.
The documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The documentation.pages[].path field can be used to write generated documentation files outside the intended build/dev/docs/<package>/ output directory. The documentation.pages[].source field can be used to read files outside the project directory and embed their contents into generated documentation output.
An attacker who can convince a victim to run gleam docs build on an untrusted project, or with untrusted gleam.toml content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory.
This issue affects Gleam from 1.16.0 until 1.17.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/gleam-lang/gleam/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-32685.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-32685 | related |
| https://github.com/gleam-lang/gleam/commit/815706… | patch |
| https://github.com/gleam-lang/gleam/commit/c9230c… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gleam | Gleam |
Affected:
1.16.0 , < 1.17.0
(semver)
cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
1.16.0 , < 1.17.0
(semver)
Affected: 61ed8deb6572b5591ad17d6302c1a38607522f16 , < 81570611906b6b0039c948037094d09a68700f3a (git) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
v1.16.0-elixir , < v1.17.0-elixir
(other)
Affected: v1.16.0-erlang , < v1.17.0-erlang (other) Affected: v1.16.0-node , < v1.17.0-node (other) Affected: v1.16.0-node-slim , < v1.17.0-node-slim (other) Affected: v1.16.0-elixir-slim , < v1.17.0-elixir-slim (other) Affected: v1.16.0-erlang-slim , < v1.17.0-erlang-slim (other) Affected: v1.16.0-erlang-alpine , < v1.17.0-erlang-alpine (other) Affected: v1.16.0-elixir-alpine , < v1.17.0-elixir-alpine (other) Affected: v1.16.0-node-alpine , < v1.17.0-node-alpine (other) Affected: v1.16.0-scratch , < v1.17.0-scratch (other) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32685",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:06:11.916565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:06:40.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-wjx8-7w8m-p4v7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core",
"compiler-cli"
],
"packageName": "gleam",
"packageURL": "pkg:sid/gleam.run/gleam",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/docs.rs",
"compiler-cli/src/docs.rs",
"compiler-cli/src/fs.rs"
],
"programRoutines": [
{
"name": "compiler_cli::docs::build_project"
},
{
"name": "compiler_core::docs::generate_html"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "1.16.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core",
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:github/gleam-lang/gleam",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/docs.rs",
"compiler-cli/src/docs.rs",
"compiler-cli/src/fs.rs"
],
"programRoutines": [
{
"name": "compiler_cli::docs::build_project"
},
{
"name": "compiler_core::docs::generate_html"
}
],
"repo": "https://github.com/gleam-lang/gleam",
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "1.16.0",
"versionType": "semver"
},
{
"lessThan": "81570611906b6b0039c948037094d09a68700f3a",
"status": "affected",
"version": "61ed8deb6572b5591ad17d6302c1a38607522f16",
"versionType": "git"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core",
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/docs.rs",
"compiler-cli/src/docs.rs",
"compiler-cli/src/fs.rs"
],
"programRoutines": [
{
"name": "compiler_cli::docs::build_project"
},
{
"name": "compiler_core::docs::generate_html"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "v1.17.0-elixir",
"status": "affected",
"version": "v1.16.0-elixir",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang",
"status": "affected",
"version": "v1.16.0-erlang",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node",
"status": "affected",
"version": "v1.16.0-node",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-slim",
"status": "affected",
"version": "v1.16.0-node-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-slim",
"status": "affected",
"version": "v1.16.0-elixir-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-slim",
"status": "affected",
"version": "v1.16.0-erlang-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-alpine",
"status": "affected",
"version": "v1.16.0-erlang-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-alpine",
"status": "affected",
"version": "v1.16.0-elixir-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-alpine",
"status": "affected",
"version": "v1.16.0-node-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-scratch",
"status": "affected",
"version": "v1.16.0-scratch",
"versionType": "other"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe project must use custom documentation pages via \u003ctt\u003edocumentation.pages\u003c/tt\u003e in \u003ctt\u003egleam.toml\u003c/tt\u003e, and the victim must run \u003ctt\u003egleam docs build\u003c/tt\u003e on an untrusted project or with untrusted \u003ctt\u003egleam.toml\u003c/tt\u003e content. Projects that do not use custom documentation pages are not affected.\u003c/p\u003e"
}
],
"value": "The project must use custom documentation pages via documentation.pages in gleam.toml, and the victim must run gleam docs build on an untrusted project or with untrusted gleam.toml content. Projects that do not use custom documentation pages are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.0",
"versionStartIncluding": "1.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "evipepota"
},
{
"lang": "en",
"type": "remediation developer",
"value": "evipepota"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Louis Pilfold"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePath traversal vulnerability in Gleam\u0027s handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003edocumentation.pages\u003c/tt\u003e entries from \u003ctt\u003egleam.toml\u003c/tt\u003e are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The \u003ctt\u003edocumentation.pages[].path\u003c/tt\u003e field can be used to write generated documentation files outside the intended \u003ctt\u003ebuild/dev/docs/\u0026lt;package\u0026gt;/\u003c/tt\u003e output directory. The \u003ctt\u003edocumentation.pages[].source\u003c/tt\u003e field can be used to read files outside the project directory and embed their contents into generated documentation output.\u003c/p\u003e\u003cp\u003eAn attacker who can convince a victim to run \u003ctt\u003egleam docs build\u003c/tt\u003e on an untrusted project, or with untrusted \u003ctt\u003egleam.toml\u003c/tt\u003e content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory.\u003c/p\u003e\u003cp\u003eThis issue affects Gleam from 1.16.0 until 1.17.0.\u003c/p\u003e"
}
],
"value": "Path traversal vulnerability in Gleam\u0027s handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory.\n\nThe documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The documentation.pages[].path field can be used to write generated documentation files outside the intended build/dev/docs/\u003cpackage\u003e/ output directory. The documentation.pages[].source field can be used to read files outside the project directory and embed their contents into generated documentation output.\n\nAn attacker who can convince a victim to run gleam docs build on an untrusted project, or with untrusted gleam.toml content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory.\n\nThis issue affects Gleam from 1.16.0 until 1.17.0."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
},
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:20.700Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-wjx8-7w8m-p4v7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32685.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32685"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/81570611906b6b0039c948037094d09a68700f3a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/c9230cd3045de8fd8481dae3a4557c0146df1430"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and Write",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eAvoid running \u003ctt\u003egleam docs build\u003c/tt\u003e on untrusted projects\u003c/li\u003e\u003cli\u003eReview \u003ctt\u003edocumentation.pages\u003c/tt\u003e entries in \u003ctt\u003egleam.toml\u003c/tt\u003e before generating documentation\u003c/li\u003e\u003cli\u003eRun documentation generation in a restricted or isolated environment (e.g. containers)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Avoid running gleam docs build on untrusted projects\n* Review documentation.pages entries in gleam.toml before generating documentation\n* Run documentation generation in a restricted or isolated environment (e.g. containers)"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32685",
"datePublished": "2026-06-02T13:41:37.885Z",
"dateReserved": "2026-03-13T09:12:14.474Z",
"dateUpdated": "2026-06-02T19:14:20.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43965 (GCVE-0-2026-43965)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:41 – Updated: 2026-06-02 19:14
VLAI
Title
Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion
Summary
Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content.
Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories.
An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted.
This issue affects Gleam from 0.18.0-rc1 until 1.17.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gleam-lang/gleam/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-43965.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-43965 | related |
| https://github.com/gleam-lang/gleam/commit/690ca0… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gleam | Gleam |
Affected:
0.18.0-rc1 , < 1.17.0
(semver)
cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
0.18.0-rc1 , < 1.17.0
(semver)
Affected: ed7aec0484f10d60978b63788c8a6497590855ab , < 690ca069817bee5f77a28fc3e360627c1da19291 (git) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
v0.18.0-rc1-elixir , < v1.17.0-elixir
(other)
Affected: v0.18.0-rc1-erlang , < v1.17.0-erlang (other) Affected: v0.18.0-rc1-node , < v1.17.0-node (other) Affected: v0.18.0-rc1-node-slim , < v1.17.0-node-slim (other) Affected: v0.18.0-rc1-elixir-slim , < v1.17.0-elixir-slim (other) Affected: v0.18.0-rc1-erlang-slim , < v1.17.0-erlang-slim (other) Affected: v0.18.0-rc1-erlang-alpine , < v1.17.0-erlang-alpine (other) Affected: v0.18.0-rc1-elixir-alpine , < v1.17.0-elixir-alpine (other) Affected: v0.18.0-rc1-node-alpine , < v1.17.0-node-alpine (other) Affected: v0.18.0-rc1-scratch , < v1.17.0-scratch (other) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43965",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:07:44.667204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:08:13.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-jqvf-f6p2-wrv3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam",
"packageURL": "pkg:sid/gleam.run/gleam",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/dependencies.rs"
],
"programRoutines": [
{
"name": "compiler_cli::dependencies::remove_extra_packages"
},
{
"name": "compiler_cli::dependencies::LocalPackages::read_from_disc"
},
{
"name": "compiler_cli::dependencies::LocalPackages::extra_local_packages"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.18.0-rc1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:github/gleam-lang/gleam",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/dependencies.rs"
],
"programRoutines": [
{
"name": "compiler_cli::dependencies::remove_extra_packages"
},
{
"name": "compiler_cli::dependencies::LocalPackages::read_from_disc"
},
{
"name": "compiler_cli::dependencies::LocalPackages::extra_local_packages"
}
],
"repo": "https://github.com/gleam-lang/gleam",
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.18.0-rc1",
"versionType": "semver"
},
{
"lessThan": "690ca069817bee5f77a28fc3e360627c1da19291",
"status": "affected",
"version": "ed7aec0484f10d60978b63788c8a6497590855ab",
"versionType": "git"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/dependencies.rs"
],
"programRoutines": [
{
"name": "compiler_cli::dependencies::remove_extra_packages"
},
{
"name": "compiler_cli::dependencies::LocalPackages::read_from_disc"
},
{
"name": "compiler_cli::dependencies::LocalPackages::extra_local_packages"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "v1.17.0-elixir",
"status": "affected",
"version": "v0.18.0-rc1-elixir",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang",
"status": "affected",
"version": "v0.18.0-rc1-erlang",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node",
"status": "affected",
"version": "v0.18.0-rc1-node",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-slim",
"status": "affected",
"version": "v0.18.0-rc1-node-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-slim",
"status": "affected",
"version": "v0.18.0-rc1-elixir-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-slim",
"status": "affected",
"version": "v0.18.0-rc1-erlang-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-alpine",
"status": "affected",
"version": "v0.18.0-rc1-erlang-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-alpine",
"status": "affected",
"version": "v0.18.0-rc1-elixir-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-alpine",
"status": "affected",
"version": "v0.18.0-rc1-node-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-scratch",
"status": "affected",
"version": "v0.18.0-rc1-scratch",
"versionType": "other"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.0",
"versionStartIncluding": "0.18.0-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aly (spect3r1)"
},
{
"lang": "en",
"type": "finder",
"value": "Abdelrahman Ahmed Aboelkasem (0x2face)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Louis Pilfold"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePath traversal vulnerability in Gleam\u0027s dependency management allows arbitrary directory deletion via malicious \u003ctt\u003ebuild/packages/packages.toml\u003c/tt\u003e content.\u003c/p\u003e\u003cp\u003ePackage keys read from \u003ctt\u003ebuild/packages/packages.toml\u003c/tt\u003e by \u003ctt\u003eLocalPackages::read_from_disc\u003c/tt\u003e are passed without validation to \u003ctt\u003epaths.build_packages_package()\u003c/tt\u003e, which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to \u003ctt\u003efs::delete_directory\u003c/tt\u003e (which calls \u003ctt\u003eremove_dir_all\u003c/tt\u003e). No check is performed to ensure the path remains within the intended \u003ctt\u003ebuild/packages/\u003c/tt\u003e directory. Both absolute paths and relative traversal sequences (e.g. \u003ctt\u003e../\u003c/tt\u003e) are accepted as package keys, allowing deletion of arbitrary directories.\u003c/p\u003e\u003cp\u003eAn attacker who can cause a victim to run \u003ctt\u003egleam deps download\u003c/tt\u003e on a project containing a malicious \u003ctt\u003ebuild/packages/packages.toml\u003c/tt\u003e (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim\u0027s system to be recursively deleted.\u003c/p\u003e\u003cp\u003eThis issue affects Gleam from 0.18.0-rc1 until 1.17.0.\u003c/p\u003e"
}
],
"value": "Path traversal vulnerability in Gleam\u0027s dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content.\n\nPackage keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories.\n\nAn attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim\u0027s system to be recursively deleted.\n\nThis issue affects Gleam from 0.18.0-rc1 until 1.17.0."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
},
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:19.113Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-jqvf-f6p2-wrv3"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43965.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43965"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/690ca069817bee5f77a28fc3e360627c1da19291"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43965",
"datePublished": "2026-06-02T13:41:37.421Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-06-02T19:14:19.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47074 (GCVE-0-2026-47074)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:05 – Updated: 2026-05-29 04:40
VLAI
Title
ex_aws_sns SigningCertURL not validated in verify_message/1
Summary
Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation.
This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1.
'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification.
This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ex-aws/ex_aws_sns/security/adv… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47074.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47074 | related |
| https://github.com/ex-aws/ex_aws_sns/commit/1853d… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ex-aws | ex_aws_sns |
Affected:
2.0.1 , < 2.3.5
(semver)
cpe:2.3:a:ex_aws_sns_project:ex_aws_sns:*:*:*:*:*:*:*:* |
|
| ex-aws | ex_aws_sns |
Affected:
a7ec21880943f4dac1d59bda557db0ffcd2b61fa , < 1853d280b152d10384a1e21a22cf22152a60be48
(git)
cpe:2.3:a:ex_aws_sns_project:ex_aws_sns:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:29:45.193313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:31:15.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://hex.pm",
"cpes": [
"cpe:2.3:a:ex_aws_sns_project:ex_aws_sns:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.ExAws.SNS\u0027",
"\u0027Elixir.ExAws.SNS.PublicKeyCache\u0027"
],
"packageName": "ex_aws_sns",
"packageURL": "pkg:hex/ex_aws_sns",
"product": "ex_aws_sns",
"programFiles": [
"lib/ex_aws/sns.ex",
"lib/ex_aws/sns/public_key_cache.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.ExAws.SNS\u0027:verify_message/1"
},
{
"name": "\u0027Elixir.ExAws.SNS.PublicKeyCache\u0027:get/1"
}
],
"repo": "https://github.com/ex-aws/ex_aws_sns",
"vendor": "ex-aws",
"versions": [
{
"lessThan": "2.3.5",
"status": "affected",
"version": "2.0.1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ex_aws_sns_project:ex_aws_sns:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.ExAws.SNS\u0027",
"\u0027Elixir.ExAws.SNS.PublicKeyCache\u0027"
],
"packageName": "ex-aws/ex_aws_sns",
"packageURL": "pkg:github/ex-aws/ex_aws_sns",
"product": "ex_aws_sns",
"programFiles": [
"lib/ex_aws/sns.ex",
"lib/ex_aws/sns/public_key_cache.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.ExAws.SNS\u0027:verify_message/1"
},
{
"name": "\u0027Elixir.ExAws.SNS.PublicKeyCache\u0027:get/1"
}
],
"repo": "https://github.com/ex-aws/ex_aws_sns",
"vendor": "ex-aws",
"versions": [
{
"lessThan": "1853d280b152d10384a1e21a22cf22152a60be48",
"status": "affected",
"version": "a7ec21880943f4dac1d59bda557db0ffcd2b61fa",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must expose an HTTP endpoint that calls \u003ctt\u003e\u0027Elixir.ExAws.SNS\u0027:verify_message/1\u003c/tt\u003e on incoming request bodies.\u003c/p\u003e"
}
],
"value": "The application must expose an HTTP endpoint that calls \u0027Elixir.ExAws.SNS\u0027:verify_message/1 on incoming request bodies."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ex_aws_sns_project:ex_aws_sns:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.3.5",
"versionStartIncluding": "2.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bernard Duggan"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (\u003ctt\u003eExAws.SNS\u003c/tt\u003e, \u003ctt\u003eExAws.SNS.PublicKeyCache\u003c/tt\u003e modules) allows Signature Spoofing by Improper Validation.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ex_aws/sns.ex\u003c/tt\u003e, \u003ctt\u003elib/ex_aws/sns/public_key_cache.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.ExAws.SNS\u0027:verify_message/1\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.ExAws.SNS.PublicKeyCache\u0027:get/1\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.ExAws.SNS\u0027:verify_message/1\u003c/tt\u003e fetches the signing certificate from the \u003ctt\u003eSigningCertURL\u003c/tt\u003e field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls \u003ctt\u003everify_message/1\u003c/tt\u003e can supply an attacker-controlled \u003ctt\u003eSigningCertURL\u003c/tt\u003e, sign a forged SNS message with their own key, and cause the function to return \u003ctt\u003e:ok\u003c/tt\u003e, completely bypassing SNS signature verification.\u003c/p\u003e\u003cp\u003eThis issue affects ex_aws_sns: from 2.0.1 before 2.3.5.\u003c/p\u003e"
}
],
"value": "Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation.\n\nThis vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines \u0027Elixir.ExAws.SNS\u0027:verify_message/1, \u0027Elixir.ExAws.SNS.PublicKeyCache\u0027:get/1.\n\n\u0027Elixir.ExAws.SNS\u0027:verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification.\n\nThis issue affects ex_aws_sns: from 2.0.1 before 2.3.5."
}
],
"impacts": [
{
"capecId": "CAPEC-473",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-473 Signature Spoofing by Improper Validation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T04:40:43.232Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/ex-aws/ex_aws_sns/security/advisories/GHSA-8jgf-23q5-x7xx"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47074.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47074"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ex-aws/ex_aws_sns/commit/1853d280b152d10384a1e21a22cf22152a60be48"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ex_aws_sns SigningCertURL not validated in verify_message/1",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47074",
"datePublished": "2026-05-28T09:05:54.815Z",
"dateReserved": "2026-05-18T17:28:08.322Z",
"dateUpdated": "2026-05-29T04:40:43.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42790 (GCVE-0-2026-42790)
Vulnerability from cvelistv5 – Published: 2026-05-27 15:09 – Updated: 2026-05-28 04:39
VLAI
Title
nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification
Summary
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification.
Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com):
First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName.
Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback.
The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher.
This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-42790.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42790 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/0769050c69d7… | patch |
| https://github.com/erlang/otp/commit/fb67c6d1836f… | patch |
| https://github.com/erlang/otp/commit/21abed64eb20… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42790",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T03:55:49.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"pubkey_cert",
"public_key"
],
"packageName": "public_key",
"packageURL": "pkg:otp/public_key?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/pubkey_cert.erl",
"src/public_key.erl"
],
"programRoutines": [
{
"name": "pubkey_cert:validate_names/6"
},
{
"name": "public_key:pkix_verify_hostname/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "1.15.1.7",
"status": "unaffected"
},
{
"at": "1.17.1.3",
"status": "unaffected"
},
{
"at": "1.20.3.1",
"status": "unaffected"
},
{
"at": "1.21.1",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.4",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"pubkey_cert",
"public_key"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/public_key/src/pubkey_cert.erl",
"lib/public_key/src/public_key.erl"
],
"programRoutines": [
{
"name": "pubkey_cert:validate_names/6"
},
{
"name": "public_key:pkix_verify_hostname/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "26.2.5.21",
"status": "unaffected"
},
{
"at": "27.3.4.12",
"status": "unaffected"
},
{
"at": "28.5.0.1",
"status": "unaffected"
},
{
"at": "29.0.1",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "19.3",
"versionType": "otp"
},
{
"changes": [
{
"at": "0769050c69d73762672b0db1347b6993a5b31759",
"status": "unaffected"
},
{
"at": "fb67c6d1836f51105a96d8b769e71e4215a79457",
"status": "unaffected"
},
{
"at": "21abed64eb2026b5f82f432709e4e932f9be389a",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "b0c245e8132bb13171e277b1af59c0cec00c9459",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.21",
"versionStartIncluding": "19.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.12",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.1",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.1",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "John Downey"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Dan Gudmundsson"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Certificate Validation vulnerability in Erlang OTP \u003ctt\u003epublic_key\u003c/tt\u003e (\u003ctt\u003epubkey_cert\u003c/tt\u003e and \u003ctt\u003epublic_key\u003c/tt\u003e modules) allows a DNS \u003ctt\u003enameConstraints\u003c/tt\u003e bypass via subject CommonName fallback in TLS hostname verification.\u003cp\u003eTwo flaws combine to allow a subordinate CA whose DNS \u003ctt\u003enameConstraints\u003c/tt\u003e are restricted (e.g. \u003ctt\u003epermitted;DNS:allowed.example.com\u003c/tt\u003e) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. \u003ctt\u003evictim.example.com\u003c/tt\u003e):\u003c/p\u003e\u003cp\u003eFirst, \u003ctt\u003epubkey_cert:validate_names/6\u003c/tt\u003e in \u003ctt\u003elib/public_key/src/pubkey_cert.erl\u003c/tt\u003e only checks SAN DNS entries against \u003ctt\u003enameConstraints\u003c/tt\u003e. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no \u003ctt\u003esubjectAltName\u003c/tt\u003e therefore trivially satisfies any \u003ctt\u003epermitted;DNS:...\u003c/tt\u003e constraint regardless of its subject \u003ctt\u003ecommonName\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eSecond, \u003ctt\u003epublic_key:pkix_verify_hostname/3\u003c/tt\u003e in \u003ctt\u003elib/public_key/src/public_key.erl\u003c/tt\u003e falls back to the subject \u003ctt\u003ecommonName\u003c/tt\u003e when no \u003ctt\u003esubjectAltName\u003c/tt\u003e is present, extracting \u003ctt\u003eid-at-commonName\u003c/tt\u003e attributes as presented IDs and matching them against the reference hostname. The strict \u003ctt\u003epkix_verify_hostname_match_fun(https)\u003c/tt\u003e matcher does not suppress this fallback.\u003c/p\u003e\u003cp\u003eThe result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the \u003ctt\u003enameConstraints\u003c/tt\u003e are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock \u003ctt\u003essl:connect\u003c/tt\u003e with \u003ctt\u003everify_peer\u003c/tt\u003e, a trusted CA, SNI, and the canonical strict \u003ctt\u003ehttps\u003c/tt\u003e hostname matcher.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to \u003ctt\u003epublic_key\u003c/tt\u003e from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.\u003c/p\u003e"
}
],
"value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification.\n\nTwo flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com):\n\nFirst, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName.\n\nSecond, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback.\n\nThe result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher.\n\nThis issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1."
}
],
"impacts": [
{
"capecId": "CAPEC-475",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-475 Signature Spoofing by Improper Validation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-297",
"description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T04:39:17.033Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42790.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42790"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The \u003ctt\u003everify_fun\u003c/tt\u003e option in the \u003ctt\u003essl\u003c/tt\u003e application can be used to ensure that TLS connections fail if the end-entity certificate is missing the \u003ctt\u003esubjectAltName\u003c/tt\u003e extension or has no domain name. Do not use a \u003ctt\u003everify_fun\u003c/tt\u003e that accepts the \u003ctt\u003ename_not_permitted\u003c/tt\u003e error."
}
],
"value": "The verify_fun option in the ssl application can be used to ensure that TLS connections fail if the end-entity certificate is missing the subjectAltName extension or has no domain name. Do not use a verify_fun that accepts the name_not_permitted error."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42790",
"datePublished": "2026-05-27T15:09:01.860Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-05-28T04:39:17.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42791 (GCVE-0-2026-42791)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:23 – Updated: 2026-05-27 15:41
VLAI
Title
OCSP responder certificate validity period not checked in public_key
Summary
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid.
OCSP response verification in pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorized_responder/3 in lib/public_key/src/pubkey_ocsp.erl does not check the validity period (notBefore/notAfter) of the OCSP responder certificate. An attacker who has obtained the private key of an expired CA-designated OCSP responder certificate can forge OCSP responses that Erlang/OTP accepts as valid.
This affects TLS clients using OCSP stapling via the ssl application: a malicious or compromised server can present a revoked TLS certificate together with a forged OCSP response signed by an expired responder key, and the client will accept the revoked certificate as valid. It also affects applications calling public_key:pkix_ocsp_validate/5 directly, where the impact depends on the use case — server-side client certificate validation using this API may allow authentication bypass with a revoked client certificate.
This issue affects OTP from OTP 27.0 before OTP 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.16 before 1.17.1.3, 1.20.3.1, and 1.21.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-42791.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42791 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/7995f1fdaee3… | patch |
| https://github.com/erlang/otp/commit/b3870e02405c… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42791",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T15:40:27.647844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:40:49.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"pubkey_ocsp"
],
"packageName": "public_key",
"packageURL": "pkg:otp/public_key?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/pubkey_ocsp.erl"
],
"programRoutines": [
{
"name": "pubkey_ocsp:verify_response/5"
},
{
"name": "pubkey_ocsp:is_authorized_responder/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "1.17.1.3",
"status": "unaffected"
},
{
"at": "1.20.3.1",
"status": "unaffected"
},
{
"at": "1.21.1",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.16",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"pubkey_ocsp"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/public_key/src/pubkey_ocsp.erl"
],
"programRoutines": [
{
"name": "pubkey_ocsp:verify_response/5"
},
{
"name": "pubkey_ocsp:is_authorized_responder/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "27.3.4.12",
"status": "unaffected"
},
{
"at": "28.5.0.1",
"status": "unaffected"
},
{
"at": "29.0.1",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "27.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "7995f1fdaee3da569bb810358ce0f546471d169b",
"status": "unaffected"
},
{
"at": "b3870e02405c709a872b01ba6086065620cdfe76",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2b1a742c651b90f8a7a1fb2ddde73f29915ea376",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For the \u003ctt\u003essl\u003c/tt\u003e application, OCSP stapling must be enabled by setting the \u003ctt\u003estapling\u003c/tt\u003e option to \u003ctt\u003estaple\u003c/tt\u003e in the TLS client options. OCSP stapling is not enabled by default.\u003cp\u003eApplications calling \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e directly are unconditionally affected when that function is used.\u003c/p\u003e"
}
],
"value": "For the ssl application, OCSP stapling must be enabled by setting the stapling option to staple in the TLS client options. OCSP stapling is not enabled by default.\n\nApplications calling public_key:pkix_ocsp_validate/5 directly are unconditionally affected when that function is used."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.12",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.1",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.1",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Certificate Validation vulnerability in Erlang OTP \u003ctt\u003epublic_key\u003c/tt\u003e (\u003ctt\u003epubkey_ocsp\u003c/tt\u003e module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid.\u003cp\u003eOCSP response verification in \u003ctt\u003epubkey_ocsp:verify_response/5\u003c/tt\u003e and \u003ctt\u003epubkey_ocsp:is_authorized_responder/3\u003c/tt\u003e in \u003ctt\u003elib/public_key/src/pubkey_ocsp.erl\u003c/tt\u003e does not check the validity period (\u003ctt\u003enotBefore\u003c/tt\u003e/\u003ctt\u003enotAfter\u003c/tt\u003e) of the OCSP responder certificate. An attacker who has obtained the private key of an expired CA-designated OCSP responder certificate can forge OCSP responses that Erlang/OTP accepts as valid.\u003c/p\u003e\u003cp\u003eThis affects TLS clients using OCSP stapling via the \u003ctt\u003essl\u003c/tt\u003e application: a malicious or compromised server can present a revoked TLS certificate together with a forged OCSP response signed by an expired responder key, and the client will accept the revoked certificate as valid. It also affects applications calling \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e directly, where the impact depends on the use case \u2014 server-side client certificate validation using this API may allow authentication bypass with a revoked client certificate.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 27.0 before OTP 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to \u003ctt\u003epublic_key\u003c/tt\u003e from 1.16 before 1.17.1.3, 1.20.3.1, and 1.21.1.\u003c/p\u003e"
}
],
"value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid.\n\nOCSP response verification in pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorized_responder/3 in lib/public_key/src/pubkey_ocsp.erl does not check the validity period (notBefore/notAfter) of the OCSP responder certificate. An attacker who has obtained the private key of an expired CA-designated OCSP responder certificate can forge OCSP responses that Erlang/OTP accepts as valid.\n\nThis affects TLS clients using OCSP stapling via the ssl application: a malicious or compromised server can present a revoked TLS certificate together with a forged OCSP response signed by an expired responder key, and the client will accept the revoked certificate as valid. It also affects applications calling public_key:pkix_ocsp_validate/5 directly, where the impact depends on the use case \u2014 server-side client certificate validation using this API may allow authentication bypass with a revoked client certificate.\n\nThis issue affects OTP from OTP 27.0 before OTP 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.16 before 1.17.1.3, 1.20.3.1, and 1.21.1."
}
],
"impacts": [
{
"capecId": "CAPEC-475",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-475 Signature Spoofing by Improper Validation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-672",
"description": "CWE-672 Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:41:07.758Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42791.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42791"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/7995f1fdaee3da569bb810358ce0f546471d169b"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/b3870e02405c709a872b01ba6086065620cdfe76"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OCSP responder certificate validity period not checked in public_key",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eFor TLS clients using the \u003ctt\u003essl\u003c/tt\u003e application, disable OCSP stapling by setting \u003ctt\u003e{stapling, no_staple}\u003c/tt\u003e in the client options, or switch to CRL-based revocation checking with \u003ctt\u003e{crl_check, true}\u003c/tt\u003e.\u003c/li\u003e\u003cli\u003eFor applications calling \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e directly, validate the responder certificate\u0027s validity period in application code before calling the function.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* For TLS clients using the ssl application, disable OCSP stapling by setting {stapling, no_staple} in the client options, or switch to CRL-based revocation checking with {crl_check, true}.\n* For applications calling public_key:pkix_ocsp_validate/5 directly, validate the responder certificate\u0027s validity period in application code before calling the function."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42791",
"datePublished": "2026-05-27T12:23:13.584Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-05-27T15:41:07.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}