CVE-2026-49753

HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-444 — CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

• CAPEC-273 — CAPEC-273 HTTP Response Smuggling

CVSS 4.0 Score

6.3

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Vulnerability description

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections.

Mint's HTTP/1 Content-Length parser, 'Elixir.Mint.HTTP1.Parse':content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length >= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted.

A fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer's response stream.

This issue affects mint: from 0.1.0 before 1.9.0.

Affected

pkg:hex/mint

Module	Source File	Routine
Mint.HTTP1.Parse	lib/mint/http1/parse.ex	Mint.HTTP1.Parse.content_length_header/1

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	0.1.0	< 1.9.0

pkg:github/elixir-mint/mint

Module	Source File	Routine
Mint.HTTP1.Parse	lib/mint/http1/parse.ex	Mint.HTTP1.Parse.content_length_header/1

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	65e0e86d79	< 47e4802748

References

• https://github.com/elixir-mint/mint/security/advisories/GHSA-mjqx-c6f6-7rc2 vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-49753 related
• https://github.com/elixir-mint/mint/commit/47e48027480228e4e32a0b4df39db497b4804921 patch

Credits

• Finder: Peter Ullrich
• Remediation developer: Eric Meadows-Jönsson
• Analyst: Jonatan Männchen / EEF

CVE record as JSON:  GET /cves/CVE-2026-49753.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-49753.json