CVE-2026-48598
Undergoing Analysis Undergoing Analysis - In Progress
Header Injection in Tesla HTTP Client Library

Publication date: 2026-06-02

Last updated on: 2026-06-03

Assigner: EEF

Description
Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue. This issue affects tesla: from 0.8.0 before 1.18.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-03
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-48598
EUVD
EUVD-2026-34012
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elixir-tesla tesla From 0.8.0 (inc) to 1.18.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48598 is a vulnerability in the elixir-tesla library's Tesla.Multipart module that allows multipart part header injection. The issue occurs because the function Tesla.Multipart.part_headers_for_disposition/1 inserts disposition parameter values (such as filenames or field names) directly into multipart headers without validating or escaping special characters like carriage return (CR), line feed (LF), or double-quotes.

An attacker can exploit this by injecting these special characters into parameters passed to functions like Tesla.Multipart.add_field/4, Tesla.Multipart.add_file/3, or Tesla.Multipart.add_file_content/4. For example, a double-quote can prematurely close a quoted parameter, and CRLF sequences can terminate headers early or inject new headers or body content, potentially manipulating the structure of multipart requests.

The vulnerability affects versions of tesla from 0.8.0 up to but not including 1.18.3. The default filename handling also inherits this issue because it does not strip CR or LF characters from file paths.

Impact Analysis

This vulnerability can allow an attacker to manipulate multipart HTTP requests by injecting malicious headers or body content. This can lead to forged part-level headers or prepended body bytes in multipart requests, potentially causing unexpected behavior in applications processing these requests.

Such manipulation could be used to bypass security controls, confuse parsers, or exploit downstream systems that rely on the integrity of multipart request headers and bodies.

However, the severity is considered low with a CVSS v4.0 score of 2.1, as exploitation requires local access with low complexity and no privileges or user interaction.

Detection Guidance

This vulnerability involves injection of CR (\r), LF (\n), or double-quote characters into multipart Content-Disposition headers via unescaped disposition parameter values. Detection involves monitoring multipart HTTP requests for suspicious or malformed Content-Disposition headers containing these characters.

You can detect potential exploitation by inspecting HTTP traffic for multipart requests where Content-Disposition parameters include unescaped carriage return, line feed, or double-quote characters.

Suggested commands include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP multipart requests, then filtering or searching for suspicious Content-Disposition headers. For example, using tcpdump to capture HTTP traffic on port 80 or 443:

  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Content-Disposition'

Then manually or programmatically check for presence of CR (\r), LF (\n), or double-quote characters within the parameter values in the captured headers.

Additionally, application-level logging or instrumentation can be added to log or reject disposition parameter values containing these characters before they are sent.

Mitigation Strategies

The immediate mitigation step is to validate and sanitize all disposition parameter values (such as filenames, field names, and other options) before passing them to the affected Tesla.Multipart functions.

Specifically, reject or escape any values containing carriage return (CR), line feed (LF), or double-quote characters, as these can be used to inject malicious headers or body content.

Upgrade the elixir-tesla library to version 1.18.3 or later, where this vulnerability has been fixed by adding validation to reject such malicious input.

If upgrading immediately is not possible, implement input validation in your application code to prevent untrusted input from reaching the vulnerable functions.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart