Home

Description

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2. Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\r) or LF (\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing \r\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected. This issue affects tesla: from 0.8.0 before 1.18.3.

PUBLISHED Reserved 2026-05-22 | Published 2026-06-02 | Updated 2026-06-04 | Assigner EEF




LOW: 2.1CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Problem types

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Product status

Default status
unaffected

0.8.0 (semver) before 1.18.3
affected

Default status
unaffected

6ebfdb9abe9c6f119408045b933d82462decd351 (git) before 23601edac5d22ba9407b427967b5bdbda201aec2
affected

Credits

Peter Ullrich finder

Yordis Prieto remediation developer

Jonatan Männchen analyst

References

github.com/.../tesla/security/advisories/GHSA-q7jx-v53g-848w exploit

github.com/.../tesla/security/advisories/GHSA-q7jx-v53g-848w vendor-advisory related

cna.erlef.org/cves/CVE-2026-48596.html related

osv.dev/vulnerability/EEF-CVE-2026-48596 related

github.com/...ommit/23601edac5d22ba9407b427967b5bdbda201aec2 patch

cve.org (CVE-2026-48596)

nvd.nist.gov (CVE-2026-48596)

Download JSON