CVE-2026-49756

Multipart form-data header injection in Req via unescaped name/filename/content_type

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-93 — CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

CAPEC

• CAPEC-33 — CAPEC-33 HTTP Request Smuggling
• CAPEC-105 — CAPEC-105 HTTP Request Splitting

CVSS 4.0 Score

2.1

LOW

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Vulnerability description

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.

'Elixir.Req.Utils':encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing.

This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through 'Elixir.Req':post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.

This issue affects req: from 0.5.3 before 0.6.0.

Affected

pkg:hex/req

Module	Source File	Routine
Req.Utils	lib/req/utils.ex	Req.Utils.encode_form_part/2

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	0.5.3	< 0.6.0

pkg:github/wojtekmach/req

Module	Source File	Routine
Req.Utils	lib/req/utils.ex	Req.Utils.encode_form_part/2

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	60253dbe94	< 74506ff2c5

Workarounds

Sanitize attacker-influenced name, filename, and content_type values before passing them to 'Elixir.Req':post/2 with form_multipart:. At minimum, reject (or strip) any value containing \r, \n, or ". When forwarding uploads, derive filename from a normalised string rather than Path.basename/1 on a user-controlled path.

References

• https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-49756 related
• https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba patch

Credits

• Finder: Peter Ullrich
• Remediation developer: Wojtek Mach
• Analyst: Jonatan Männchen / EEF

CVE record as JSON:  GET /cves/CVE-2026-49756.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-49756.json