Description
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections.

Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length >= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted.

A fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer's response stream.

This issue affects mint: from 0.1.0 before 1.9.0.
Published: 2026-06-02
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Mint HTTP/1 client the Content‑Length header is parsed by Integer.parse/1, which accepts an optional "+" or "-" sign. Although a guard later rejects negative values, inputs such as "+0" or "+123" are treated as valid lengths. RFC 7230 defines Content‑Length as a sequence of digits only, so this permissive parsing introduces a mismatch with strictly following implementations. Because Mint silently accepts the signed value while a fronting proxy or load balancer rejects it, the two parties disagree on where the body ends, allowing a malicious upstream server to transmit data across the demarcation intended for the next response. The result is that bytes from one response can be delivered into another consumer’s stream, leaking confidential information or enabling injection of arbitrary content. This flaw corresponds to CWE‑444, which describes inconsistent interpretation of input.

Affected Systems

The vulnerability impacts the Elixir Mint library, affecting all releases from 0.1.0 up to, but not including, 1.9.0. Any application that depends on any of those versions and uses shared or pooled HTTP/1 connections is potentially exposed.

Risk and Exploitability

The CVSS score of 6.3 places the issue in the medium severity range. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The attack can be carried out by an attacker who controls an upstream HTTP/1 server that shares a connection with the client, such as a fronting proxy or load balancer that enforces strict grammar on incoming responses. By sending a signed Content‑Length header over a keep‑alive or pooled connection, the attacker can desynchronise the framing and smuggle data into a downstream response. Exploitation therefore requires the ability to serve HTTP/1 responses to the vulnerable client.

Generated by OpenCVE AI on June 2, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to elixir‑mint 1.9.0 or later, in which the Content‑Length parser rejects signed values.
  • Configure upstream proxies or load balancers to reject or rewrite any Content‑Length header containing a sign character, ensuring strict conformance to RFC 7230.
  • Disable connection pooling or keep‑alive usage in any application that relies on older Mint releases until the library update is applied, to prevent shared‑connection export of smuggled data.
  • If upgrading or reconfiguring is not immediately possible, replace Mint with a client that provides a validated Content‑Length parser or add a wrapper that enforces the canonically correct digit‑only format.

Generated by OpenCVE AI on June 2, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length >= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted. A fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer's response stream. This issue affects mint: from 0.1.0 before 1.9.0.
Title HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing
First Time appeared Elixir-mint
Elixir-mint mint
Weaknesses CWE-444
CPEs cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*
Vendors & Products Elixir-mint
Elixir-mint mint
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Elixir-mint Mint
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-02T19:14:42.817Z

Reserved: 2026-06-01T13:45:22.448Z

Link: CVE-2026-49753

cve-icon Vulnrichment

Updated: 2026-06-02T18:06:34.954Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T16:16:44.777

Modified: 2026-06-02T20:16:39.883

Link: CVE-2026-49753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:51:04Z

Weaknesses