CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection

Weakness Type (CWE)

CWE-116 — CWE-116 Improper Encoding or Escaping of Output

CAPEC

CAPEC-105 — CAPEC-105 HTTP Request Splitting

CVSS 4.0 Score

2.1

LOW

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Vulnerability description

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.

Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.

This issue affects tesla: from 0.8.0 before 1.18.3.

Affected

`pkg:hex/tesla`

Module	Source File	Routine
`Tesla.Multipart`	`lib/tesla/multipart.ex`	`Tesla.Multipart.part_headers_for_disposition/1`
		`Tesla.Multipart.add_field/4`
		`Tesla.Multipart.add_file/3`
		`Tesla.Multipart.add_file_content/4`

Status	Type	Version	Changes / Fixed in
affected	semver ^ⓘ	`0.8.0`	< `1.18.3`

`pkg:github/elixir-tesla/tesla`

Module	Source File	Routine
`Tesla.Multipart`	`lib/tesla/multipart.ex`	`Tesla.Multipart.part_headers_for_disposition/1`
		`Tesla.Multipart.add_field/4`
		`Tesla.Multipart.add_file/3`
		`Tesla.Multipart.add_file_content/4`

Status	Type	Version	Changes / Fixed in
affected	git ^ⓘ	`6ebfdb9abe`	< `bb1a2c3da2`

Configurations

The application must pass untrusted input into a disposition parameter of Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4.

Workarounds

Validate disposition parameter values before passing them to Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4, rejecting any value that contains \r, \n, or ”.

References

https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4 vendor-advisory related
https://osv.dev/vulnerability/EEF-CVE-2026-48598 related
https://github.com/elixir-tesla/tesla/commit/bb1a2c3da2775924d96e3db8e315dcc4d5d2246e patch

Credits

Finder: Peter Ullrich
Remediation developer: Yordis Prieto
Analyst: Jonatan Männchen

CVE record as JSON: GET /cves/CVE-2026-48598.json
OSV record as JSON: GET /osv/EEF-CVE-2026-48598.json