CVE-2026-49753

Name of the Vulnerable Software and Affected Versions mint versions 0.1.0 through 1.8.x

Description An inconsistent interpretation of HTTP requests, known as HTTP Request/Response Smuggling, allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections. The issue occurs because the HTTP/1 Content-Length parser, specifically the content length header/1 function in lib/mint/http1/parse.ex, uses Integer.parse/1 to process header values. This allows optional plus (+) or minus (-) sign prefixes; while negative values are rejected, inputs like +0 or +123 are accepted as valid lengths, contradicting RFC 7230 which permits only digits. A fronting proxy or load balancer enforcing strict grammar may reject or reframe such headers while Mint treats them as valid. When sockets are reused via keep-alive, pipelining, or pooled connections shared across requesters, this disagreement allows bytes from one response to be attributed to the next, potentially leaking data into a different consumer's response stream if the connection is shared across trust boundaries.

Recommendations Update to version 1.9.0 or later.