CVE-2026-48598
Header Injection in Tesla HTTP Client Library
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elixir-tesla | tesla | From 0.8.0 (inc) to 1.18.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48598 is a vulnerability in the elixir-tesla library's Tesla.Multipart module that allows multipart part header injection. The issue occurs because the function Tesla.Multipart.part_headers_for_disposition/1 inserts disposition parameter values (such as filenames or field names) directly into multipart headers without validating or escaping special characters like carriage return (CR), line feed (LF), or double-quotes.
An attacker can exploit this by injecting these special characters into parameters passed to functions like Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4. For example, a double-quote can prematurely close a quoted parameter, and CRLF sequences can terminate headers early or inject new headers or body content, potentially manipulating the structure of multipart requests.
The vulnerability affects versions of tesla from 0.8.0 up to but not including 1.18.3. The default filename handling also inherits this issue because it does not strip CR or LF characters from file paths.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to manipulate multipart HTTP requests by injecting malicious headers or body content. This can lead to forged part-level headers or prepended body bytes in multipart requests, potentially causing unexpected behavior in applications processing these requests.
Such manipulation could be used to bypass security controls, confuse parsers, or exploit downstream systems that rely on the integrity of multipart request headers and bodies.
However, the severity is considered low with a CVSS v4.0 score of 2.1, as exploitation requires local access with low complexity and no privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves injection of CR (\r), LF (\n), or double-quote characters into multipart Content-Disposition headers via unescaped disposition parameter values. Detection involves monitoring multipart HTTP requests for suspicious or malformed Content-Disposition headers containing these characters.
You can detect potential exploitation by inspecting HTTP traffic for multipart requests where Content-Disposition parameters include unescaped carriage return, line feed, or double-quote characters.
Suggested commands include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP multipart requests, then filtering or searching for suspicious Content-Disposition headers. For example, using tcpdump to capture HTTP traffic on port 80 or 443:
- tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Content-Disposition'
Then manually or programmatically check for presence of CR (\r), LF (\n), or double-quote characters within the parameter values in the captured headers.
Additionally, application-level logging or instrumentation can be added to log or reject disposition parameter values containing these characters before they are sent.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to validate and sanitize all disposition parameter values (such as filenames, field names, and other options) before passing them to the affected Tesla.Multipart functions.
Specifically, reject or escape any values containing carriage return (CR), line feed (LF), or double-quote characters, as these can be used to inject malicious headers or body content.
Upgrade the elixir-tesla library to version 1.18.3 or later, where this vulnerability has been fixed by adding validation to reject such malicious input.
If upgrading immediately is not possible, implement input validation in your application code to prevent untrusted input from reaching the vulnerable functions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.