{"vulnerability": "ghsa-q7jx-v53g-848w", "sightings": [{"uuid": "6089deee-a886-44d5-844b-0f16dd781058", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-q7jx-v53g-848w", "type": "seen", "source": "https://gist.github.com/alon710/c858490dcced6d8c05b3d0f0cec528f1", "content": "# CVE-2026-48596: CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client\n\n&gt; **CVSS Score:** 2.1\n&gt; **Published:** 2026-07-10\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48596\n\n## Summary\nCVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.\n\n## TL;DR\nAn HTTP request/response splitting vulnerability in elixir-tesla allowed unauthenticated remote attackers to inject arbitrary headers or perform HTTP request smuggling by supplying CRLF characters to the Tesla.Multipart.add_content_type_param/2 function.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-113 (Improper Neutralization of CRLF Sequences)\n- **Attack Vector**: Local/Remote via application integration pattern\n- **CVSS v4.0 Score**: 2.1 (Low)\n- **EPSS Score**: 0.0017 (Percentile: 6.66%)\n- **Impact**: HTTP Request Splitting and Header Injection\n- **Exploit Status**: poc\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Elixir applications utilizing the elixir-tesla HTTP client library with user-provided parameters forwarded directly to the multipart boundary or charset configuration APIs.\n- **tesla**: from 0.8.0 before 1.18.3 (Fixed in: `1.18.3`)\n\n## Mitigation\n\n- Upgrade to version 1.18.3 or higher of the tesla hex package.\n- Sanitize user-provided values passed to add_content_type_param/2 by explicitly stripping or rejecting carriage returns, line feeds, and semicolons.\n- Implement static analysis checks to detect unvalidated parameters passing from entry-points into Tesla Multipart constructs.\n\n**Remediation Steps:**\n1. Open your application's `mix.exs` configuration file.\n2. Locate the `tesla` dependency declaration in the `deps/0` list.\n3. Update the version constraint to `{:tesla, \"~&gt; 1.18.3\"}`.\n4. Run `mix deps.update tesla` to download and lock the secured package version.\n5. Run `mix test` to confirm that standard multipart behavior remains functional.\n\n## References\n\n- [GitHub Security Advisory GHSA-q7jx-v53g-848w](https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w)\n- [Fix Commit](https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2)\n- [Erlang Ecosystem Foundation Advisory details](https://cna.erlef.org/cves/CVE-2026-48596.html)\n- [OSV Database Record](https://osv.dev/vulnerability/EEF-CVE-2026-48596)\n- [NVD Vulnerability Record](https://nvd.nist.gov/vuln/detail/CVE-2026-48596)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48596)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48596) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T02:42:38.390271Z"}]}