Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling.

In lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\s, target, " HTTP/1.1\r\n"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection.

Mint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions.

This issue affects mint: from 0.1.0 before 1.9.0.
Published: 2026-06-02
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Mint HTTP library’s encode_request_line/2 function, which concatenates the caller‑supplied method and target into the HTTP/1 request line without validating for CRLF or other control characters. An attacker able to influence either value can terminate the request line early and inject arbitrary headers, enabling HTTP request splitting or smuggling. The issue is present in all Mint releases from 0.1.0 up to, but not including, 1.9.0. No additional logic was added to reject CRLF in the method field even after Mint 1.7.0 introduced target validation, leaving the method field permanently unvalidated under default configuration.

Affected Systems

Elixir Mint (version 0.1.0 through 1.8.x). Applications that forward external input to Mint.HTTP.request/5 without sanitizing the method or target strings, such as HTTP reverse proxies or forwarders built with Mint, are susceptible.

Risk and Exploitability

The CVSS score of 2.1 reflects a low‑severity impact. The EPSS value is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a crafted HTTP method or target string; therefore the risk is limited to contexts where such input is propagated to Mint without prior validation. No direct attack scenario was specified in the original disclosure.

Generated by OpenCVE AI on June 2, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mint to version 1.9.0 or newer, which rejects CRLF characters in the request target and mitigates the vulnerability.
  • Validate the HTTP method argument before calling Mint.HTTP.request, rejecting CRLF or other control characters to prevent method‑based injection.
  • Avoid setting skip_target_validation to true for calls that may receive externally supplied method or target strings; use the default validation or set the flag to false.

Generated by OpenCVE AI on June 2, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling. In lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\s, target, " HTTP/1.1\r\n"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection. Mint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions. This issue affects mint: from 0.1.0 before 1.9.0.
Title CRLF injection in HTTP/1 request line via unvalidated method in Mint
First Time appeared Elixir-mint
Elixir-mint mint
Weaknesses CWE-93
CPEs cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*
Vendors & Products Elixir-mint
Elixir-mint mint
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Elixir-mint Mint
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-02T19:14:00.466Z

Reserved: 2026-05-25T20:44:10.697Z

Link: CVE-2026-48861

cve-icon Vulnrichment

Updated: 2026-06-02T18:11:40.193Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T16:16:44.470

Modified: 2026-06-02T20:16:39.120

Link: CVE-2026-48861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T17:45:05Z

Weaknesses