Can you explain this vulnerability to me?

CVE-2026-48596 is a CRLF injection vulnerability in the Tesla.Multipart.add_content_type_param/2 function of the elixir-tesla library. This function appends user-supplied strings to the multipart content_type_params list without validating for carriage return (CR) or line feed (LF) characters.

Because Tesla.Multipart.headers/1 joins these parameters verbatim with "; ", any parameter containing \r\n can split the HTTP header line, allowing an attacker to inject arbitrary HTTP headers into outbound requests.

Applications that forward untrusted input, such as user-supplied charset or parameter strings, into add_content_type_param/2 are vulnerable. The issue affects Tesla versions from 0.8.0 before 1.18.3 and was fixed in version 1.18.3.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an attacker to inject arbitrary HTTP headers into outbound HTTP requests by exploiting the improper neutralization of CRLF sequences.

Such header injection can lead to HTTP request smuggling or header forgery attacks against upstream servers, potentially manipulating how requests are processed or interpreted.

However, the severity is rated as low (CVSS v4.0 score 2.1) because exploitation requires control over content-type parameter values, and the impact is limited to outbound request manipulation.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves HTTP header injection via unvalidated CRLF sequences in the Content-Type header parameters. Detection involves monitoring outbound HTTP requests for suspicious or malformed headers that include unexpected line breaks or injected headers.

Since the vulnerability arises from the Tesla.Multipart.add_content_type_param/2 function appending unvalidated strings, you can detect exploitation attempts by inspecting HTTP traffic for headers containing CR (\r) or LF (\n) characters or unexpected header splitting.

Suggested commands to detect this on your system or network include using network traffic analysis tools such as tcpdump or Wireshark to capture HTTP requests and filter for suspicious Content-Type headers.

• Using tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
• Using Wireshark, apply a display filter for HTTP headers containing CR or LF characters or unexpected header lines.

Additionally, reviewing application logs or adding instrumentation to log parameters passed to Tesla.Multipart.add_content_type_param/2 can help detect if untrusted input containing CR or LF characters is being used.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately validate and sanitize any user-supplied input passed to Tesla.Multipart.add_content_type_param/2 to ensure it does not contain carriage return (\r) or line feed (\n) characters.

Reject or sanitize any content-type parameter strings that include CR or LF characters before passing them to the vulnerable function.

Upgrade the Tesla library to version 1.18.3 or later, where this vulnerability has been fixed by enforcing strict input validation according to RFC 7230 and RFC 7231 standards.

• Implement input validation functions that reject control characters, semicolons, empty strings, and other invalid tokens in content-type parameters.
• Review and update your code to avoid forwarding untrusted input directly into Tesla.Multipart.add_content_type_param/2.

These steps will prevent HTTP header injection and protect your application from request smuggling or header forgery attacks.

Useful 0 Not Useful 0