CVE-2026-48861— CRLF injection in HTTP/1 request line via unvalidated method in Mint
Affected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| elixir-mint | mint | 0.1.0< 1.9.0 | affected |
8db1acff30b6a9433762c18b1e1f891b8c1f74f7< fad091454cbb7449b19edb8e1fee12ca7cf28c3a | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48861
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CRLF injection in HTTP/1 request line via unvalidated method in Mint
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling. In lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\s, target, " HTTP/1.1\r\n"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection. Mint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions. This issue affects mint: from 0.1.0 before 1.9.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对CRLF序列的转义处理不恰当(CRLF注入)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| elixir-mint | mint | 0.1.0 ~ 1.9.0 | cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* | |
| elixir-mint | mint | 8db1acff30b6a9433762c18b1e1f891b8c1f74f7 ~ fad091454cbb7449b19edb8e1fee12ca7cf28c3a | cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-48861
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48861
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-48861 (1)
Vendor Advisories for CVE-2026-48861 (3)
Same Patch Batch · elixir-mint · 2026-06-02 · 4 CVEs total
| CVE-2026-48862 | Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrenc | |
| CVE-2026-49753 | HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing | |
| CVE-2026-49754 | HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation |
IV. Related Vulnerabilities
Same weakness: CWE-93
- CVE-2026-45372
cpp-httplib: HTTP header value percent-decoding in server-si - CVE-2026-49130
Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylis - CVE-2026-46740
Mojolicious::Plugin::Statsd versions through 0.04 for Perl a - CVE-2026-44214
eventsource-encoder: SSE event injection via unsanitized eve - CVE-2026-47072
CRLF injection in WebSocket upgrade request in hackney
V. Comments for CVE-2026-48861
No comments yet