{"affected":[{"package":{"ecosystem":"Hex","name":"req","purl":"pkg:hex/req"},"ranges":[{"events":[{"introduced":"0.5.3"},{"fixed":"0.6.0"}],"type":"SEMVER"}],"versions":["0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.5.8","0.5.9","0.5.10","0.5.11","0.5.12","0.5.13","0.5.14","0.5.15","0.5.16","0.5.17","0.5.18"]},{"ranges":[{"events":[{"introduced":"60253dbe9436cb8e9c738f895032f2e87939b597"},{"fixed":"74506ff2c5addf74df85d79dc726e9b2e264a8ba"}],"repo":"https://github.com/wojtekmach/req.git","type":"GIT"}]}],"aliases":["GHSA-px9f-whj3-246m","CVE-2026-49756"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Wojtek Mach","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen / EEF","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-33","CAPEC-105"],"cpe_ids":["cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-93"]},"details":"## Summary\n\nImproper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.\n\nReq.Utils.encode\\_form\\_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content\\_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing \", \\\\r, or \\\\n closes the surrounding quoted value and starts a new header line; an additional \\\\r\\\\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing.\n\nThis is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \\\\r and \\\\n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form\\_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.\n\nThis issue affects req: from 0.5.3 before 0.6.0.\n\n## Workaround\n\nSanitize attacker-influenced name, filename, and content\\_type values before passing them to Req.post/2 with form\\_multipart:. At minimum, reject (or strip) any value containing \\\\r, \\\\n, or \". When forwarding uploads, derive filename from a normalised string rather than Path.basename/1 on a user-controlled path.","id":"EEF-CVE-2026-49756","modified":"2026-06-08T16:34:58.505Z","published":"2026-06-08T15:20:24.035Z","references":[{"type":"ADVISORY","url":"https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-49756.html"},{"type":"FIX","url":"https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba"},{"type":"PACKAGE","url":"https://hex.pm/packages/req"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N","type":"CVSS_V4"}],"summary":"Multipart form-data header injection in Req via unescaped name/filename/content_type","upstream":[]}