CVE-2026-48598

Description

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue. This issue affects tesla: from 0.8.0 before 1.18.3.

PUBLISHED Reserved 2026-05-22 | Published 2026-06-02 | Updated 2026-06-04 | Assigner EEF

Problem types

CWE-116 Improper Encoding or Escaping of Output

Product status

Credits

Peter Ullrich finder

Yordis Prieto remediation developer

Jonatan Männchen analyst

References

github.com/.../tesla/security/advisories/GHSA-28jh-g32x-v9v4 exploit

github.com/.../tesla/security/advisories/GHSA-28jh-g32x-v9v4 vendor-advisory related

cna.erlef.org/cves/CVE-2026-48598.html related

osv.dev/vulnerability/EEF-CVE-2026-48598 related

github.com/...ommit/bb1a2c3da2775924d96e3db8e315dcc4d5d2246e patch

cve.org (CVE-2026-48598)

nvd.nist.gov (CVE-2026-48598)

Download JSON