CVE-2026-59249
Received Received - Intake

HTTP Response Smuggling in Mint Library

Vulnerability report for CVE-2026-59249, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: EEF

Description

Inconsistent interpretation of HTTP requests (HTTP response smuggling) vulnerability in elixir-mint mint allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that share the connection. The Mint.HTTP1.decode_body/5 function in lib/mint/http1.ex parses the chunk-size line of a Transfer-Encoding: chunked response with Integer.parse(data, 16). RFC 7230 defines chunk-size = 1*HEXDIG and forbids any sign prefix, but Integer.parse/2 accepts an optional leading + or -. A chunk-size line of +5 is accepted as a five-byte chunk; lines of +0 and -0 are accepted as the terminating zero-length chunk and end the message body early. An RFC-strict intermediary in the response path rejects these forms, so the intermediary and the Mint client disagree on where one response ends and the next begins. On a pooled keep-alive connection, an attacker-influenced origin can inject bytes that the client attributes to the next legitimate response on the same connection, poisoning the response queue and corrupting the responses returned to unrelated in-flight requests. This issue affects mint: from 0.1.0 before 1.9.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
elixir-mint mint From 0.1.0 (inc) to 1.9.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an HTTP response smuggling issue in the elixir-mint library. It occurs when a malicious HTTP/1 server sends chunked transfer encoding responses with signed chunk sizes (e.g., +5 or -0). Mint's parser incorrectly accepts these, violating RFC 7230 which forbids signs. Strict intermediaries reject these, causing Mint to misinterpret response boundaries on pooled connections. This leads to response-queue poisoning where injected bytes corrupt unrelated requests.

Detection Guidance

To detect this vulnerability, check if your system uses Mint library versions before 1.9.3. Run: mix deps | grep mint. If version is below 1.9.3, the system is vulnerable. Monitor HTTP/1 traffic for malformed chunked transfer encoding responses with signed chunk sizes like +5 or -0.

Impact Analysis

If exploited, this vulnerability could corrupt responses for unrelated in-flight requests sharing a pooled connection. Attackers might inject malicious data into responses, altering headers, status codes, or body content. This could lead to data leaks, session hijacking, or misinformation. Exploitation requires network access and a setup with an RFC-strict intermediary and HTTP/1 keep-alive pooling.

Compliance Impact

This vulnerability could indirectly impact compliance with GDPR and HIPAA by enabling response-queue poisoning attacks that corrupt data integrity. If exploited, it may lead to unauthorized data exposure or manipulation of sensitive information transmitted over HTTP connections, potentially violating confidentiality and integrity requirements under these regulations.

Mitigation Strategies

Upgrade Mint to version 1.9.3 or later immediately. Update dependency files (mix.exs) and run mix deps.update mint. Restart affected applications to apply changes. Ensure no pooled keep-alive HTTP/1 connections exist between clients and servers during transition.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart