CVE-2026-49753
HTTP Request Smuggling in Mint HTTP Library
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elixir | mint | From 0.1.0 (inc) to 1.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-49753 is a vulnerability in the Elixir Mint HTTP/1 client parser related to how it interprets the Content-Length header in HTTP requests and responses.
Mint's parser uses Integer.parse/1 to read the Content-Length header, which incorrectly allows optional '+' or '-' signs (e.g., '+0' or '+123'), even though RFC 7230 requires the Content-Length to be composed solely of digits without any sign.
This discrepancy means that a fronting proxy or load balancer that strictly enforces the RFC will reject or reframe headers like 'Content-Length: +0', while Mint treats them as valid zero length.
When Mint reuses a socket connection (such as with keep-alive or pipelining), this mismatch can cause response framing to become desynchronized, allowing bytes from one response to leak into another, a technique known as HTTP response smuggling.
This vulnerability affects Mint versions from 0.1.0 up to but not including 1.9.0, where a patch was introduced to properly validate the Content-Length header.
How can this vulnerability impact me? :
This vulnerability can lead to HTTP response smuggling, where an attacker-controlled HTTP/1 server can manipulate response framing on shared connections.
Because Mint and a strict fronting proxy interpret the Content-Length header differently, bytes from one response can be incorrectly attributed to another response.
This can cause response stream corruption and potentially allow an attacker to inject unauthorized data into responses intended for other users.
The risk is especially significant in environments where the same Mint connection is shared across different trust boundaries, such as multi-tenant systems.
Exploitation requires control over the upstream HTTP/1 server and shared Mint connections, but no privileges or user interaction are needed.
The vulnerability impacts the integrity of HTTP responses, potentially leading to data leakage or injection attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves inconsistent parsing of the HTTP Content-Length header, specifically accepting values with a leading '+' sign (e.g., '+0', '+123') which violates RFC 7230. Detection involves monitoring HTTP traffic for such malformed Content-Length headers.
You can detect potential exploitation attempts by inspecting HTTP responses for Content-Length headers that include a leading '+' sign or other invalid formats.
- Use network traffic analysis tools like tcpdump or Wireshark to capture HTTP traffic and filter for Content-Length headers with leading '+' signs.
- Example tcpdump command to capture HTTP traffic on port 80 or 443: tcpdump -A -s 0 'tcp port 80 or tcp port 443'
- Use grep or similar tools on captured traffic to search for 'Content-Length: +' patterns.
- If you have access to logs or proxy/load balancer logs, search for rejected or reframed requests/responses involving Content-Length headers with leading '+' signs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the Mint library to version 1.9.0 or later, where the vulnerability has been fixed by stricter validation of the Content-Length header.
If upgrading immediately is not possible, consider the following interim measures:
- Configure fronting proxies or load balancers to strictly enforce RFC 7230 compliance on Content-Length headers, rejecting or sanitizing headers with invalid formats such as leading '+' signs.
- Avoid sharing Mint connections across different trust boundaries to reduce the risk of response smuggling.
- Monitor network traffic and logs for suspicious Content-Length headers and anomalous response behavior.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-49753 vulnerability allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections, leading to response smuggling. This can cause unauthorized data injection into response streams, potentially leaking information across different trust boundaries.
Such unauthorized data leakage and integrity violations could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.
Because the vulnerability enables an attacker to inject or leak data between responses, it undermines data integrity and confidentiality controls that are critical for regulatory compliance.