HTTP Response Smuggling Vulnerability in Elixir Mint Client
CVE-2026-59249

6.3MEDIUM

Key Information:

Status
Vendor
CVE Published:
16 July 2026

What is CVE-2026-59249?

The Elixir Mint HTTP client is susceptible to an HTTP response smuggling vulnerability due to improper handling of the chunk-size line in chunked transfer-encoded responses. This issue arises when the Mint client processes a chunk-size with a leading sign, which diverges from RFC 7230 specifications. As a result, an attacker leveraging a malicious HTTP/1 server can desynchronize the strict intermediary and the Mint client on a pooled connection. This enables them to inject bytes into the response queue, leading to corrupt responses for unrelated requests. Versions from 0.1.0 before 1.9.3 are affected. Prompt patching is essential to safeguard applications utilizing this client.

Affected Version(s)

mint 0.1.0 < 1.9.3

mint 60089586ec7adc9fddb09f69a2f5919ba9ac7f33

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thepigtails
Andrea Leopardi
Eric Meadows-Jönsson
Jonatan Männchen / EEF
.