CVE-2026-49756
Received Received - Intake
CRLF Injection in Req HTTP Client Library

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: EEF

Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing. This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream. This issue affects req: from 0.5.3 before 0.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-49756
EUVD
EUVD-2026-35096
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wojtekmach req to 0.6.0 (exc)
wojtekmach req 0.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49756 is a vulnerability in the Req library versions 0.5.3 to before 0.6.0 that allows multipart parameter smuggling via CRLF (Carriage Return Line Feed) injection.

The issue occurs because the function encode_form_part/2 in Req.Utils directly interpolates user-supplied values for name, filename, and content_type into multipart form-data headers without escaping or stripping CRLF characters.

An attacker can include special characters like quotes, carriage returns, or newlines in these fields, which prematurely close the current header line and start new ones, allowing injection of arbitrary headers or additional parts into the multipart request.

This is especially exploitable when filenames come from user-controlled sources, such as file streams where the filename defaults to the basename of the file path, which may contain CR or LF characters.

As a result, an attacker can smuggle extra form fields or parts into requests sent downstream by applications using Req.post/2 with form_multipart enabled.

Impact Analysis

This vulnerability can allow an attacker to inject arbitrary headers or smuggle additional parts into HTTP multipart form-data requests.

Such injection can lead to HTTP request smuggling or multipart parameter smuggling attacks, potentially causing the victim service to process malicious or unintended data.

Applications that forward user-controlled filenames, field names, or MIME types through Req.post/2 with form_multipart enabled are vulnerable.

The impact includes manipulation of downstream requests, which could lead to security issues such as unauthorized data injection or bypassing input validation.

However, the CVSS score is low (2.1), indicating that the exploit complexity is low but the overall impact is limited.

Detection Guidance

This vulnerability involves multipart form-data header injection via unescaped name, filename, and content_type fields in HTTP requests. Detection can focus on inspecting outgoing multipart/form-data requests for suspicious or malformed headers that include CR (\r) or LF (\n) characters within these fields.

You can monitor HTTP traffic on your network or system using tools like tcpdump or Wireshark to capture multipart/form-data requests and look for injected CRLF sequences or unexpected headers.

Example commands to capture and inspect traffic:

  • Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Use Wireshark to filter HTTP multipart/form-data requests and examine headers for CR or LF characters in name, filename, or content_type fields.

Additionally, review application logs or proxy logs for malformed multipart requests or unexpected header injections.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade the Req library to version 0.6.0 or later, where the issue has been fixed by properly escaping name, filename, and content_type parameters in multipart form-data headers.

If upgrading is not immediately possible, sanitize or normalize all user-controlled inputs that are used as name, filename, or content_type values in multipart requests by rejecting or stripping carriage return (\r), newline (\n), and double quote (") characters before passing them to Req.post/2.

Avoid using Path.basename/1 on user-controlled paths directly for filenames without normalization, as POSIX filenames may contain CR or LF characters.

Review and monitor your application for any suspicious multipart requests that could exploit this vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49756. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart