{"affected":[{"package":{"ecosystem":"Hex","name":"mint","purl":"pkg:hex/mint"},"ranges":[{"events":[{"introduced":"0.1.0"},{"fixed":"1.9.0"}],"type":"SEMVER"}],"versions":["0.1.0","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.6.0","1.6.1","1.6.2","1.7.0","1.7.1","1.8.0"]},{"ranges":[{"events":[{"introduced":"8db1acff30b6a9433762c18b1e1f891b8c1f74f7"},{"fixed":"fad091454cbb7449b19edb8e1fee12ca7cf28c3a"}],"repo":"https://github.com/elixir-mint/mint.git","type":"GIT"}]}],"aliases":["GHSA-2pg6-44cx-c49v","CVE-2026-48861"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Eric Meadows-Jönsson","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen / EEF","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-33","CAPEC-105"],"cpe_ids":["cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-93"]},"details":"## Summary\n\nImproper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling.\n\nIn lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\\s, target, \" HTTP/1.1\\r\\n\"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection.\n\nMint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions.\n\nThis issue affects mint: from 0.1.0 before 1.9.0.","id":"EEF-CVE-2026-48861","modified":"2026-06-02T14:15:09.015Z","published":"2026-06-02T14:15:09.015Z","references":[{"type":"ADVISORY","url":"https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-48861.html"},{"type":"FIX","url":"https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a"},{"type":"PACKAGE","url":"https://hex.pm/packages/mint"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N","type":"CVSS_V4"}],"summary":"CRLF injection in HTTP/1 request line via unvalidated method in Mint","upstream":[]}