Search criteria
5 vulnerabilities by elixir-tesla
CVE-2026-48596 (GCVE-0-2026-48596)
Vulnerability from cvelistv5 – Published: 2026-06-02 19:09 – Updated: 2026-06-04 04:45
VLAI
Title
CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection
Summary
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2.
Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\r) or LF (\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing \r\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected.
This issue affects tesla: from 0.8.0 before 1.18.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-tesla/tesla/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48596.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48596 | related |
| https://github.com/elixir-tesla/tesla/commit/2360… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-tesla | tesla |
Affected:
0.8.0 , < 1.18.3
(semver)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
|
| elixir-tesla | tesla |
Affected:
6ebfdb9abe9c6f119408045b933d82462decd351 , < 23601edac5d22ba9407b427967b5bdbda201aec2
(git)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48596",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:01:48.568462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T13:01:52.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Multipart\u0027"
],
"packageName": "tesla",
"packageURL": "pkg:hex/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/multipart.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_content_type_param/2"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:headers/1"
}
],
"repo": "https://github.com/elixir-tesla/tesla",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "1.18.3",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Multipart\u0027"
],
"packageName": "elixir-tesla/tesla",
"packageURL": "pkg:github/elixir-tesla/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/multipart.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_content_type_param/2"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:headers/1"
}
],
"repo": "https://github.com/elixir-tesla/tesla.git",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "23601edac5d22ba9407b427967b5bdbda201aec2",
"status": "affected",
"version": "6ebfdb9abe9c6f119408045b933d82462decd351",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must pass untrusted input into \u003ctt\u003eTesla.Multipart.add_content_type_param/2\u003c/tt\u003e."
}
],
"value": "The application must pass untrusted input into Tesla.Multipart.add_content_type_param/2."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "0.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yordis Prieto"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in elixir-tesla tesla allows HTTP header injection via \u003ctt\u003eTesla.Multipart.add_content_type_param/2\u003c/tt\u003e.\u003cp\u003e\u003ctt\u003eTesla.Multipart.add_content_type_param/2\u003c/tt\u003e appends caller-supplied strings to the multipart \u003ctt\u003econtent_type_params\u003c/tt\u003e list without validating for CR (\u003ctt\u003e\\r\u003c/tt\u003e) or LF (\u003ctt\u003e\\n\u003c/tt\u003e) characters. \u003ctt\u003eTesla.Multipart.headers/1\u003c/tt\u003e then joins these params verbatim with \u003ctt\u003e\"; \"\u003c/tt\u003e to construct the outgoing \u003ctt\u003eContent-Type\u003c/tt\u003e header value. A param containing \u003ctt\u003e\\r\\n\u003c/tt\u003e splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into \u003ctt\u003eadd_content_type_param/2\u003c/tt\u003e is affected.\u003c/p\u003e\u003cp\u003eThis issue affects tesla: from 0.8.0 before 1.18.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2.\n\nTesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\\r) or LF (\\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with \"; \" to construct the outgoing Content-Type header value. A param containing \\r\\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected.\n\nThis issue affects tesla: from 0.8.0 before 1.18.3."
}
],
"impacts": [
{
"capecId": "CAPEC-105",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-105 HTTP Request Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T04:45:42.210Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48596.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48596"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Validate content-type parameter strings before passing them to \u003ctt\u003eTesla.Multipart.add_content_type_param/2\u003c/tt\u003e, rejecting any value that contains \u003ctt\u003e\\r\u003c/tt\u003e or \u003ctt\u003e\\n\u003c/tt\u003e."
}
],
"value": "Validate content-type parameter strings before passing them to Tesla.Multipart.add_content_type_param/2, rejecting any value that contains \\r or \\n."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48596",
"datePublished": "2026-06-02T19:09:31.615Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-04T04:45:42.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48594 (GCVE-0-2026-48594)
Vulnerability from cvelistv5 – Published: 2026-06-02 19:08 – Updated: 2026-06-04 04:45
VLAI
Title
Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression
Summary
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.
When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.
This issue affects tesla: from 0.6.0 before 1.18.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-tesla/tesla/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48594.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48594 | related |
| https://github.com/elixir-tesla/tesla/commit/340f… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-tesla | tesla |
Affected:
0.6.0 , < 1.18.3
(semver)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
|
| elixir-tesla | tesla |
Affected:
5bd90bb5cf0d15e375edc2a66fa322292940fce2 , < 340f75b5d191dc747ef7ac6365bd002d1cd55a9d
(git)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T14:39:48.594599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:39:54.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Middleware.Compression\u0027",
"\u0027Elixir.Tesla.Middleware.DecompressResponse\u0027"
],
"packageName": "tesla",
"packageURL": "pkg:hex/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/middleware/compression.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Middleware.DecompressResponse\u0027:call/3"
},
{
"name": "\u0027Elixir.Tesla.Middleware.Compression\u0027:call/3"
}
],
"repo": "https://github.com/elixir-tesla/tesla",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "1.18.3",
"status": "affected",
"version": "0.6.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Middleware.Compression\u0027",
"\u0027Elixir.Tesla.Middleware.DecompressResponse\u0027"
],
"packageName": "elixir-tesla/tesla",
"packageURL": "pkg:github/elixir-tesla/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/middleware/compression.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Middleware.DecompressResponse\u0027:call/3"
},
{
"name": "\u0027Elixir.Tesla.Middleware.Compression\u0027:call/3"
}
],
"repo": "https://github.com/elixir-tesla/tesla.git",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "340f75b5d191dc747ef7ac6365bd002d1cd55a9d",
"status": "affected",
"version": "5bd90bb5cf0d15e375edc2a66fa322292940fce2",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must include \u003ctt\u003eTesla.Middleware.DecompressResponse\u003c/tt\u003e or \u003ctt\u003eTesla.Middleware.Compression\u003c/tt\u003e in its Tesla middleware pipeline."
}
],
"value": "The application must include Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its Tesla middleware pipeline."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "0.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yordis Prieto"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.\u003cp\u003eWhen \u003ctt\u003eTesla.Middleware.DecompressResponse\u003c/tt\u003e or \u003ctt\u003eTesla.Middleware.Compression\u003c/tt\u003e is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The \u003ctt\u003edecompress_body/2\u003c/tt\u003e function in \u003ctt\u003elib/tesla/middleware/compression.ex\u003c/tt\u003e passes the entire response body to \u003ctt\u003e:zlib.gunzip/1\u003c/tt\u003e or \u003ctt\u003e:zlib.unzip/1\u003c/tt\u003e without any cap on the output size. Additionally, \u003ctt\u003ecompression_algorithms/1\u003c/tt\u003e splits the \u003ctt\u003econtent-encoding\u003c/tt\u003e header on commas and \u003ctt\u003edecompress_body/2\u003c/tt\u003e recurses once per token, applying a decompression pass on each iteration. A server advertising \u003ctt\u003econtent-encoding: gzip, gzip, gzip, gzip\u003c/tt\u003e causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.\u003c/p\u003e\u003cp\u003eThis issue affects tesla: from 0.6.0 before 1.18.3.\u003c/p\u003e"
}
],
"value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.\n\nWhen Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.\n\nThis issue affects tesla: from 0.6.0 before 1.18.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T04:45:31.475Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48594.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48594"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48594",
"datePublished": "2026-06-02T19:08:49.596Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-04T04:45:31.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48595 (GCVE-0-2026-48595)
Vulnerability from cvelistv5 – Published: 2026-06-02 19:08 – Updated: 2026-06-04 04:45
VLAI
Title
Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects
Summary
Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.
Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.
This issue affects tesla: from 1.4.0 before 1.18.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-178 - Improper Handling of Case Sensitivity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-tesla/tesla/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48595.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48595 | related |
| https://github.com/elixir-tesla/tesla/commit/db96… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-tesla | tesla |
Affected:
1.4.0 , < 1.18.3
(semver)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
|
| elixir-tesla | tesla |
Affected:
2d937d5813d7cda5cd726f41824985fb655c920f , < db963dba67651b9abd1fc420a1d9679cf6efe182
(git)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48595",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T15:59:45.683092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:59:54.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Middleware.FollowRedirects\u0027"
],
"packageName": "tesla",
"packageURL": "pkg:hex/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/middleware/follow_redirects.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Middleware.FollowRedirects\u0027:call/3"
}
],
"repo": "https://github.com/elixir-tesla/tesla",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "1.18.3",
"status": "affected",
"version": "1.4.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Middleware.FollowRedirects\u0027"
],
"packageName": "elixir-tesla/tesla",
"packageURL": "pkg:github/elixir-tesla/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/middleware/follow_redirects.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Middleware.FollowRedirects\u0027:call/3"
}
],
"repo": "https://github.com/elixir-tesla/tesla.git",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "db963dba67651b9abd1fc420a1d9679cf6efe182",
"status": "affected",
"version": "2d937d5813d7cda5cd726f41824985fb655c920f",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must include \u003ctt\u003eTesla.Middleware.FollowRedirects\u003c/tt\u003e in its Tesla middleware pipeline."
}
],
"value": "The application must include Tesla.Middleware.FollowRedirects in its Tesla middleware pipeline."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "1.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yordis Prieto"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.\u003cp\u003e\u003ctt\u003eTesla.Middleware.FollowRedirects\u003c/tt\u003e strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (\u003ctt\u003e@filter_headers [\"authorization\", \"host\"]\u003c/tt\u003e). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as \u003ctt\u003e{\"Authorization\", \"Bearer \u2026\"}\u003c/tt\u003e (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a \u003ctt\u003eLocation:\u003c/tt\u003e response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other \u003ctt\u003eAuthorization\u003c/tt\u003e material on the cross-origin request.\u003c/p\u003e\u003cp\u003eThis issue affects tesla: from 1.4.0 before 1.18.3.\u003c/p\u003e"
}
],
"value": "Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.\n\nTesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers [\"authorization\", \"host\"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {\"Authorization\", \"Bearer \u2026\"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.\n\nThis issue affects tesla: from 1.4.0 before 1.18.3."
}
],
"impacts": [
{
"capecId": "CAPEC-267",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-267 Leverage Alternate Encoding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178 Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T04:45:31.067Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48595.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48595"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Normalize all header keys to lowercase before passing them to Tesla. Use \u003ctt\u003e\"authorization\"\u003c/tt\u003e instead of \u003ctt\u003e\"Authorization\"\u003c/tt\u003e when setting headers via \u003ctt\u003eTesla.put_header/3\u003c/tt\u003e or \u003ctt\u003eTesla.Middleware.Headers\u003c/tt\u003e."
}
],
"value": "Normalize all header keys to lowercase before passing them to Tesla. Use \"authorization\" instead of \"Authorization\" when setting headers via Tesla.put_header/3 or Tesla.Middleware.Headers."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48595",
"datePublished": "2026-06-02T19:08:48.339Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-04T04:45:31.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48597 (GCVE-0-2026-48597)
Vulnerability from cvelistv5 – Published: 2026-06-02 19:08 – Updated: 2026-06-04 04:45
VLAI
Title
Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint
Summary
Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint.
Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application.
This issue affects tesla: from 1.3.0 before 1.18.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-tesla/tesla/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48597.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48597 | related |
| https://github.com/elixir-tesla/tesla/commit/4699… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-tesla | tesla |
Affected:
1.3.0 , < 1.18.3
(semver)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
|
| elixir-tesla | tesla |
Affected:
ccd0823d4ba37581a37d8f6108f9a81b263237ef , < 4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e
(git)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48597",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T14:44:24.414813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:44:34.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Adapter.Mint\u0027"
],
"packageName": "tesla",
"packageURL": "pkg:hex/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/adapter/mint.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Adapter.Mint\u0027:open_conn/2"
}
],
"repo": "https://github.com/elixir-tesla/tesla",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "1.18.3",
"status": "affected",
"version": "1.3.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Adapter.Mint\u0027"
],
"packageName": "elixir-tesla/tesla",
"packageURL": "pkg:github/elixir-tesla/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/adapter/mint.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Adapter.Mint\u0027:open_conn/2"
}
],
"repo": "https://github.com/elixir-tesla/tesla.git",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e",
"status": "affected",
"version": "ccd0823d4ba37581a37d8f6108f9a81b263237ef",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must use \u003ctt\u003eTesla.Adapter.Mint\u003c/tt\u003e and either expose a feature that forwards attacker-controlled URLs to Tesla, or include \u003ctt\u003eTesla.Middleware.FollowRedirects\u003c/tt\u003e in the middleware pipeline."
}
],
"value": "The application must use Tesla.Adapter.Mint and either expose a feature that forwards attacker-controlled URLs to Tesla, or include Tesla.Middleware.FollowRedirects in the middleware pipeline."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "1.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yordis Prieto"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in \u003ctt\u003eTesla.Adapter.Mint\u003c/tt\u003e.\u003cp\u003e\u003ctt\u003eTesla.Adapter.Mint.open_conn/2\u003c/tt\u003e converts the URL scheme of every outgoing request to a BEAM atom via \u003ctt\u003eString.to_atom(uri.scheme)\u003c/tt\u003e with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request \u2014 either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a \u003ctt\u003eLocation\u003c/tt\u003e header returned by a server when \u003ctt\u003eTesla.Middleware.FollowRedirects\u003c/tt\u003e is in the pipeline \u2014 can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application.\u003c/p\u003e\u003cp\u003eThis issue affects tesla: from 1.3.0 before 1.18.3.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint.\n\nTesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request \u2014 either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline \u2014 can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application.\n\nThis issue affects tesla: from 1.3.0 before 1.18.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T04:45:28.962Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48597.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48597"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48597",
"datePublished": "2026-06-02T19:08:40.203Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-04T04:45:28.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48598 (GCVE-0-2026-48598)
Vulnerability from cvelistv5 – Published: 2026-06-02 19:08 – Updated: 2026-06-04 04:45
VLAI
Title
CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection
Summary
Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.
Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.
This issue affects tesla: from 0.8.0 before 1.18.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-tesla/tesla/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48598.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48598 | related |
| https://github.com/elixir-tesla/tesla/commit/bb1a… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-tesla | tesla |
Affected:
0.8.0 , < 1.18.3
(semver)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
|
| elixir-tesla | tesla |
Affected:
6ebfdb9abe9c6f119408045b933d82462decd351 , < bb1a2c3da2775924d96e3db8e315dcc4d5d2246e
(git)
cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48598",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T14:58:39.064613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:00:21.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Multipart\u0027"
],
"packageName": "tesla",
"packageURL": "pkg:hex/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/multipart.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:part_headers_for_disposition/1"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_field/4"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_file/3"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_file_content/4"
}
],
"repo": "https://github.com/elixir-tesla/tesla",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "1.18.3",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Tesla.Multipart\u0027"
],
"packageName": "elixir-tesla/tesla",
"packageURL": "pkg:github/elixir-tesla/tesla",
"product": "tesla",
"programFiles": [
"lib/tesla/multipart.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:part_headers_for_disposition/1"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_field/4"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_file/3"
},
{
"name": "\u0027Elixir.Tesla.Multipart\u0027:add_file_content/4"
}
],
"repo": "https://github.com/elixir-tesla/tesla.git",
"vendor": "elixir-tesla",
"versions": [
{
"lessThan": "bb1a2c3da2775924d96e3db8e315dcc4d5d2246e",
"status": "affected",
"version": "6ebfdb9abe9c6f119408045b933d82462decd351",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must pass untrusted input into a disposition parameter of \u003ctt\u003eTesla.Multipart.add_field/4\u003c/tt\u003e, \u003ctt\u003eTesla.Multipart.add_file/3\u003c/tt\u003e, or \u003ctt\u003eTesla.Multipart.add_file_content/4\u003c/tt\u003e."
}
],
"value": "The application must pass untrusted input into a disposition parameter of Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "0.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yordis Prieto"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped \u003ctt\u003eContent-Disposition\u003c/tt\u003e parameter values.\u003cp\u003e\u003ctt\u003eTesla.Multipart.part_headers_for_disposition/1\u003c/tt\u003e interpolates each disposition parameter as \u003ctt\u003e#{k}=\"#{v}\"\u003c/tt\u003e with no validation of CR (\u003ctt\u003e\\r\u003c/tt\u003e), LF (\u003ctt\u003e\\n\u003c/tt\u003e), or double-quote characters. The values come verbatim from the caller via \u003ctt\u003eTesla.Multipart.add_field/4\u003c/tt\u003e (the \u003ctt\u003ename\u003c/tt\u003e parameter), \u003ctt\u003eTesla.Multipart.add_file/3\u003c/tt\u003e, and \u003ctt\u003eTesla.Multipart.add_file_content/4\u003c/tt\u003e (both the \u003ctt\u003efilename\u003c/tt\u003e parameter and other disposition opts). A \u003ctt\u003e\"\u003c/tt\u003e in the value closes the quoted parameter early; a \u003ctt\u003e\\r\\n\u003c/tt\u003e ends the \u003ctt\u003eContent-Disposition\u003c/tt\u003e header line and starts a new part header (such as a forged \u003ctt\u003eContent-Type\u003c/tt\u003e), or, after a second \u003ctt\u003e\\r\\n\u003c/tt\u003e, ends the entire part header block and prepends bytes to the part body. The default-filename path in \u003ctt\u003eadd_file/3\u003c/tt\u003e derives the filename via \u003ctt\u003ePath.basename/1\u003c/tt\u003e, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.\u003c/p\u003e\u003cp\u003eThis issue affects tesla: from 0.8.0 before 1.18.3.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.\n\nTesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}=\"#{v}\" with no validation of CR (\\r), LF (\\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A \" in the value closes the quoted parameter early; a \\r\\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \\r\\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.\n\nThis issue affects tesla: from 0.8.0 before 1.18.3."
}
],
"impacts": [
{
"capecId": "CAPEC-105",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-105 HTTP Request Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T04:45:23.895Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48598.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48598"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-tesla/tesla/commit/bb1a2c3da2775924d96e3db8e315dcc4d5d2246e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Validate disposition parameter values before passing them to \u003ctt\u003eTesla.Multipart.add_field/4\u003c/tt\u003e, \u003ctt\u003eTesla.Multipart.add_file/3\u003c/tt\u003e, or \u003ctt\u003eTesla.Multipart.add_file_content/4\u003c/tt\u003e, rejecting any value that contains \u003ctt\u003e\\r\u003c/tt\u003e, \u003ctt\u003e\\n\u003c/tt\u003e, or \u003ctt\u003e\"\u003c/tt\u003e."
}
],
"value": "Validate disposition parameter values before passing them to Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4, rejecting any value that contains \\r, \\n, or \"."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48598",
"datePublished": "2026-06-02T19:08:19.921Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-04T04:45:23.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}