CVE-2026-49756

Name of the Vulnerable Software and Affected Versions wojtekmach Req versions 0.5.3 through 0.5.9

Description Improper Neutralization of CRLF Sequences, also known as CRLF Injection, allows multipart parameter smuggling through attacker-influenced part metadata. The function encode form part/2 in lib/req/utils.ex constructs per-part headers by interpolating the name, filename, and content type values directly into the content-disposition and content-type lines without escaping or stripping Carriage Return (CR) and Line Feed (LF) characters. A value containing quotes, r, or can close the quoted value and start a new header line. Furthermore, adding r --<boundary> can terminate the current part and prepend a smuggled part. This is especially accessible when the value is a %File.Stream{}, as the filename defaults to Path.basename(stream.path), and POSIX filenames may contain r and . Applications forwarding user-controlled filenames, field names, or MIME types through Req.post/2 with form multipart: enable attackers to inject arbitrary headers or smuggle additional fields and parts into requests sent to downstream services.

Recommendations Update to version 0.6.0. Sanitize attacker-influenced name, filename, and content type values before passing them to Req.post/2 with form multipart: by rejecting or stripping any value containing r, , or quotes. When forwarding uploads, derive the filename from a normalized string instead of using Path.basename/1 on a user-controlled path.