Description
Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.

Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.

This issue affects tesla: from 0.8.0 before 1.18.3.
Published: 2026-06-02
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when Tesla constructs multipart disposition headers without escaping CR (\r), LF (\n), or double‑quote characters; an attacker can inject line breaks or quotes into the header, resulting in forged headers such as an alternate Content‑Type or premature termination of the header block. This change in header values can affect how the receiving server interprets the part, potentially leading to unintended behavior when the request is forwarded.

Affected Systems

The issue affects the Elixir‑Tesla library "Tesla" from version 0.8.0 up to, but not including, 1.18.3. Any application that uses the library’s Multipart functions—add_field/4, add_file/3, add_file_content/4—to build HTTP requests with user‑supplied names, filenames or disposition options is vulnerable.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity, and the EPSS is not reported. The vulnerability is not listed in CISA KEV. Exploitation would require the attacker to craft a multipart request that the application forwards via Tesla, which is a relatively narrow attack surface. The likely vector is during inbound requests that are processed by the application and sent downstream using Tesla, making this risk low to medium in typical deployments.

Generated by OpenCVE AI on June 3, 2026 at 04:30 UTC.

Remediation

Vendor Workaround

Validate disposition parameter values before passing them to Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4, rejecting any value that contains \r, \n, or ".

OpenCVE Recommended Actions

  • Upgrade Tesla to version 1.18.3 or later.
  • Validate any disposition parameter values before calling Tesla.Multipart.add_field/4, add_file/3, or add_file_content/4, rejecting values that contain CR, LF, or double‑quote characters.
  • Ensure that filenames derived from user input are sanitized by stripping CR and LF characters before being passed to the library.

Generated by OpenCVE AI on June 3, 2026 at 04:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue. This issue affects tesla: from 0.8.0 before 1.18.3.
Title CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection
First Time appeared Elixir-tesla
Elixir-tesla tesla
Weaknesses CWE-116
CPEs cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*
Vendors & Products Elixir-tesla
Elixir-tesla tesla
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Elixir-tesla Tesla
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-04T04:45:23.895Z

Reserved: 2026-05-22T09:36:56.834Z

Link: CVE-2026-48598

cve-icon Vulnrichment

Updated: 2026-06-03T14:56:59.609Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T20:16:38.847

Modified: 2026-06-04T15:42:22.947

Link: CVE-2026-48598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:55:01Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output