{"affected":[{"package":{"ecosystem":"Hex","name":"mint","purl":"pkg:hex/mint"},"ranges":[{"events":[{"introduced":"0.1.0"},{"fixed":"1.9.3"}],"type":"SEMVER"}],"versions":["0.1.0","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.6.0","1.6.1","1.6.2","1.7.0","1.7.1","1.8.0","1.9.0","1.9.1","1.9.2"]},{"ranges":[{"events":[{"introduced":"60089586ec7adc9fddb09f69a2f5919ba9ac7f33"},{"fixed":"fc7d16538db7e40b56ed489f08683225cb0197fa"}],"repo":"https://github.com/elixir-mint/mint","type":"GIT"}]}],"aliases":["GHSA-x3x7-96vm-6h2w","CVE-2026-59249"],"credits":[{"name":"Thepigtails","type":"FINDER"},{"name":"Andrea Leopardi","type":"REMEDIATION_DEVELOPER"},{"name":"Eric Meadows-Jönsson","type":"REMEDIATION_REVIEWER"},{"name":"Jonatan Männchen / EEF","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-273"],"cpe_ids":["cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-444"]},"details":"## Summary\n\nInconsistent interpretation of HTTP requests (HTTP response smuggling) vulnerability in elixir-mint mint allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that share the connection.\n\nThe Mint.HTTP1.decode\\_body/5 function in lib/mint/http1.ex parses the chunk-size line of a Transfer-Encoding: chunked response with Integer.parse(data, 16). RFC 7230 defines chunk-size = 1\\*HEXDIG and forbids any sign prefix, but Integer.parse/2 accepts an optional leading + or -. A chunk-size line of +5 is accepted as a five-byte chunk; lines of +0 and -0 are accepted as the terminating zero-length chunk and end the message body early.\n\nAn RFC-strict intermediary in the response path rejects these forms, so the intermediary and the Mint client disagree on where one response ends and the next begins. On a pooled keep-alive connection, an attacker-influenced origin can inject bytes that the client attributes to the next legitimate response on the same connection, poisoning the response queue and corrupting the responses returned to unrelated in-flight requests.\n\nThis issue affects mint: from 0.1.0 before 1.9.3.\n\n## Configuration\n\nExploitation requires a deployment topology in which an RFC-strict HTTP/1 intermediary (proxy, load balancer, or WAF) sits between the Mint client and the attacker-influenced origin, and HTTP/1 connections between the client and the intermediary are reused across requests (keep-alive with connection pooling). Mint clients that talk directly to an origin without an intermediary, or that do not reuse connections, are not exploitable for response-queue poisoning even if the vulnerable parsing behavior is present.","id":"EEF-CVE-2026-59249","modified":"2026-07-16T11:39:29.939Z","published":"2026-07-16T11:39:29.939Z","references":[{"type":"ADVISORY","url":"https://github.com/elixir-mint/mint/security/advisories/GHSA-x3x7-96vm-6h2w"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-59249.html"},{"type":"FIX","url":"https://github.com/elixir-mint/mint/commit/fc7d16538db7e40b56ed489f08683225cb0197fa"},{"type":"PACKAGE","url":"https://hex.pm/packages/mint"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Sign-tolerant HTTP/1 chunk-size parser in Mint enables response smuggling against strict intermediaries on pooled connections","upstream":[]}