CVE-2026-49753— HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| elixir-mint | mint | 0.1.0< 1.9.0 | affected |
65e0e86d799a6d3b08e4372fccdd9747535e0dd6< 47e48027480228e4e32a0b4df39db497b4804921 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49753
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing
Source: NVD (National Vulnerability Database)
Vulnerability Description
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length >= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted. A fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer's response stream. This issue affects mint: from 0.1.0 before 1.9.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTP请求的解释不一致性(HTTP请求私运)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| elixir-mint | mint | 0.1.0 ~ 1.9.0 | cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* | |
| elixir-mint | mint | 65e0e86d799a6d3b08e4372fccdd9747535e0dd6 ~ 47e48027480228e4e32a0b4df39db497b4804921 | cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-49753
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-49753
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-49753 (1)
Vendor Advisories for CVE-2026-49753 (3)
- 🔗 EEF-CVE-2026-49753 - OSVrelated
Same Patch Batch · elixir-mint · 2026-06-02 · 4 CVEs total
| CVE-2026-48862 | Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrenc | |
| CVE-2026-48861 | CRLF injection in HTTP/1 request line via unvalidated method in Mint | |
| CVE-2026-49754 | HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation |
IV. Related Vulnerabilities
Same weakness: CWE-444
- CVE-2026-6324
Libsoup: libsoup: http request smuggling via unsigned to sig - CVE-2026-47676
Hono: app.mount() strips mount prefix using undecoded path, - CVE-2026-48710
Starlette has missing Host header validation that poisons re - CVE-2026-8620
IBM WebSphere Application Server and WebSphere Application S - CVE-2026-42585
Netty: HTTP Request Smuggling due to malformed Transfer-Enco
V. Comments for CVE-2026-49753
No comments yet