Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.

Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing.

This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.

This issue affects req: from 0.5.3 before 0.6.0.
Published: 2026-06-08
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from the lack of escaping or CRLF stripping for the name, filename, and content_type parameters used in multipart form-data headers. The flaw allows an attacker to include carriage return, line feed, or quote characters, breaking out of the intended header fields and injecting arbitrary HTTP headers or smuggling additional multipart parts. This can enable unauthorized modification of the downstream request sent by the application, potentially leading to subtle or severe functional changes.

Affected Systems

The issue affects the Req HTTP client library developed by wojtekmach, specifically versions starting at 0.5.3 up to, but not including, 0.6.0. Applications built with these versions that use Req.post/2 with form_multipart and supply user-controlled field names, filenames or MIME types are vulnerable. The vulnerability is present in any code path that builds multipart bodies through Req.Utils.encode_form_part/2.

Risk and Exploitability

The CVSS score of 2.1 reflects a low severity impact. Because the flaw is limited to header manipulation, it does not provide direct code execution. Exploitation requires that the target application forwards user-controlled multipart parameters through Req to another service; the attack remains in the network path, not on the target host. The EPSS score is unavailable, and the vulnerability is not listed in CISA KEV. The attack vector is inferred to be through client applications that allow file uploads or long field names, using Po­siX filenames that could contain CRLF. By injecting malicious header values the attacker can alter or inject additional parts into the request delivered downstream.

Generated by OpenCVE AI on June 8, 2026 at 16:39 UTC.

Remediation

Vendor Workaround

Sanitize attacker-influenced name, filename, and content_type values before passing them to Req.post/2 with form_multipart:. At minimum, reject (or strip) any value containing \r, \n, or ". When forwarding uploads, derive filename from a normalised string rather than Path.basename/1 on a user-controlled path.

OpenCVE Recommended Actions

  • Update to Req version 0.6.0 or later to fix the injection flaw.
  • Sanitize all user‑controlled name, filename, and content_type values before passing them to Req.post/2 with form_multipart. Reject or strip values that contain \r, \n, or " characters.
  • When forwarding uploads, derive the filename from a normalised string rather than using Path.basename on a user‑controlled path.

Generated by OpenCVE AI on June 8, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing. This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream. This issue affects req: from 0.5.3 before 0.6.0.
Title Multipart form-data header injection in Req via unescaped name/filename/content_type
First Time appeared Wojtekmach
Wojtekmach req
Weaknesses CWE-93
CPEs cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*
Vendors & Products Wojtekmach
Wojtekmach req
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wojtekmach Req
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-08T16:34:58.505Z

Reserved: 2026-06-01T13:45:22.448Z

Link: CVE-2026-49756

cve-icon Vulnrichment

Updated: 2026-06-08T16:05:28.978Z

cve-icon NVD

Status : Received

Published: 2026-06-08T16:16:44.040

Modified: 2026-06-08T17:16:52.790

Link: CVE-2026-49756

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:45:26Z

Weaknesses