{"affected":[{"package":{"ecosystem":"Hex","name":"tesla","purl":"pkg:hex/tesla"},"ranges":[{"events":[{"introduced":"0.8.0"},{"fixed":"1.18.3"}],"type":"SEMVER"}],"versions":["0.8.0","0.9.0","0.10.0","1.0.0-beta.1","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.3.1","1.3.2","1.3.3","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.5.1","1.6.0","1.6.1","1.7.0","1.8.0","1.8.1","1.9.0","1.10.0","1.10.1","1.10.2","1.10.3","1.11.0","1.11.1","1.11.2","1.12.0","1.12.1","1.12.2","1.12.3","1.13.0","1.13.1","1.13.2","1.14.0","1.14.1","1.14.2","1.14.3","1.15.0","1.15.1","1.15.2","1.15.3","1.16.0","1.17.0","1.18.0","1.18.1","1.18.2"]},{"ranges":[{"events":[{"introduced":"6ebfdb9abe9c6f119408045b933d82462decd351"},{"fixed":"bb1a2c3da2775924d96e3db8e315dcc4d5d2246e"}],"repo":"https://github.com/elixir-tesla/tesla.git","type":"GIT"}]}],"aliases":["GHSA-28jh-g32x-v9v4","CVE-2026-48598"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Yordis Prieto","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-105"],"cpe_ids":["cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-116"]},"details":"## Summary\n\nImproper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.\n\nTesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}=\"#{v}\" with no validation of CR (\\r), LF (\\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A \" in the value closes the quoted parameter early; a \\r\\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \\r\\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.\n\nThis issue affects tesla: from 0.8.0 before 1.18.3.\n\n## Workaround\n\nValidate disposition parameter values before passing them to Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4, rejecting any value that contains \\r, \\n, or \".\n\n## Configuration\n\nThe application must pass untrusted input into a disposition parameter of Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4.","id":"EEF-CVE-2026-48598","modified":"2026-06-02T19:12:18.502Z","published":"2026-06-02T19:08:19.921Z","references":[{"type":"ADVISORY","url":"https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-48598.html"},{"type":"FIX","url":"https://github.com/elixir-tesla/tesla/commit/bb1a2c3da2775924d96e3db8e315dcc4d5d2246e"},{"type":"PACKAGE","url":"https://hex.pm/packages/tesla"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N","type":"CVSS_V4"}],"summary":"CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection","upstream":[]}