{"affected":[{"package":{"ecosystem":"Hex","name":"tesla","purl":"pkg:hex/tesla"},"ranges":[{"events":[{"introduced":"0.8.0"},{"fixed":"1.18.3"}],"type":"SEMVER"}],"versions":["0.8.0","0.9.0","0.10.0","1.0.0-beta.1","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.3.1","1.3.2","1.3.3","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.5.1","1.6.0","1.6.1","1.7.0","1.8.0","1.8.1","1.9.0","1.10.0","1.10.1","1.10.2","1.10.3","1.11.0","1.11.1","1.11.2","1.12.0","1.12.1","1.12.2","1.12.3","1.13.0","1.13.1","1.13.2","1.14.0","1.14.1","1.14.2","1.14.3","1.15.0","1.15.1","1.15.2","1.15.3","1.16.0","1.17.0","1.18.0","1.18.1","1.18.2"]},{"ranges":[{"events":[{"introduced":"6ebfdb9abe9c6f119408045b933d82462decd351"},{"fixed":"23601edac5d22ba9407b427967b5bdbda201aec2"}],"repo":"https://github.com/elixir-tesla/tesla.git","type":"GIT"}]}],"aliases":["GHSA-q7jx-v53g-848w","CVE-2026-48596"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Yordis Prieto","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-105"],"cpe_ids":["cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-113"]},"details":"## Summary\n\nImproper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2.\n\nTesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\\r) or LF (\\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with \"; \" to construct the outgoing Content-Type header value. A param containing \\r\\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected.\n\nThis issue affects tesla: from 0.8.0 before 1.18.3.\n\n## Workaround\n\nValidate content-type parameter strings before passing them to Tesla.Multipart.add_content_type_param/2, rejecting any value that contains \\r or \\n.\n\n## Configuration\n\nThe application must pass untrusted input into Tesla.Multipart.add_content_type_param/2.","id":"EEF-CVE-2026-48596","modified":"2026-06-02T19:12:34.508Z","published":"2026-06-02T19:09:31.615Z","references":[{"type":"ADVISORY","url":"https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-48596.html"},{"type":"FIX","url":"https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2"},{"type":"PACKAGE","url":"https://hex.pm/packages/tesla"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N","type":"CVSS_V4"}],"summary":"CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection","upstream":[]}