The vulnerability arises when the Tesla.Multipart.add_content_type_param/2 function appends caller-supplied strings directly to the multipart content_type_params list without removing or escaping CR (\r) or LF (\n) characters. When these parameters are later concatenated into the outgoing Content-Type header, a value containing \r\n splits the header line, enabling an attacker to inject arbitrary HTTP headers into the request. This can expose sensitive data or alter the behavior of downstream services by altering headers such as Host, User-Agent, or custom headers. The weakness is classified as CWE‑113, Improper Neutralization of CRLF Sequences in HTTP Headers.

The affected component is the elixir-tesla library named tesla, distributed by the elixir-tesla organization. Version ranges that are susceptible start from 0.8.0 and extend up through any release prior to 1.18.3. Therefore, any application that depends on tesla 1.18.2 or earlier and forwards user data to Tesla.Multipart.add_content_type_param/2 is at risk.

The CVSS score of 2.1 classifies the issue as low severity. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation. However, the flaw can be leveraged by an attacker who controls or convinces an application to pass untrusted strings into add_content_type_param/2, resulting in header injection. Since the attack surface depends on application logic rather than a public-facing interface, the exploitability is limited but not impossible in poorly designed systems.