CVE-2026-48861

Name of the Vulnerable Software and Affected Versions mint versions 0.1.0 through 1.8.x

Description Improper Neutralization of CRLF Sequences, also known as CRLF Injection, allows HTTP Request Splitting and HTTP Request Smuggling. In the encode request line/2 function within lib/mint/http1/request.ex, the method and target arguments are spliced directly into the HTTP/1 request line without character validation. Applications forwarding attacker-controlled input as the HTTP method or target to the Mint.HTTP.request/5 function are exposed to request-line CRLF injection. This enables an attacker to terminate the request line prematurely, inject arbitrary headers, and smuggle a separate pipelined HTTP request over the same TCP connection. While the validate request target/2 function introduced in version 1.7.0 rejects CRLF and control characters in the target by default, the method field remains unvalidated across all versions.

Recommendations Update to version 1.9.0 or later.