PT-2026-57161 · Unknown · Elixir Plug
Jonatan Männchen
+2
·
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-56813
CVSS v4.0
2.1
Low
| Vector | AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
elixir-plug versions 0.1.0 through 1.16.5
elixir-plug versions 1.17.0 through 1.17.3
elixir-plug versions 1.18.0 through 1.18.4
elixir-plug versions 1.19.0 through 1.19.4
elixir-plug versions 1.20.0 through 1.20.2
Description
Improper neutralization of parameter delimiters allows an attacker to inject or override HTTP cookie attributes. The
encode/2 function in Plug.Conn.Cookies constructs the Set-Cookie response header by interpolating the cookie value and its path, domain, same site, and extra attributes without neutralizing the ';' delimiter. If an application places attacker-controlled data into a cookie value or attribute, such as through the put resp cookie/4 function, an attacker can inject a ';' to append or override attributes like Domain and Path scope, or remove the Secure and HttpOnly flags. This can lead to cookie tossing and session fixation. While carriage return, line feed, and null bytes are rejected, preventing HTTP response splitting, attribute injection via ';' remains possible.Recommendations
Update to version 1.16.6 or later.
Update to version 1.17.4 or later.
Update to version 1.18.5 or later.
Update to version 1.19.5 or later.
Update to version 1.20.3 or later.
As a temporary workaround, validate or reject the ';' delimiter in any untrusted data before passing it as a cookie value or attribute to the
put resp cookie/4 or encode/2 functions.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Elixir Plug