HTTP Response Smuggling Vulnerability in Elixir Mint Client
CVE-2026-59249
What is CVE-2026-59249?
The Elixir Mint HTTP client is susceptible to an HTTP response smuggling vulnerability due to improper handling of the chunk-size line in chunked transfer-encoded responses. This issue arises when the Mint client processes a chunk-size with a leading sign, which diverges from RFC 7230 specifications. As a result, an attacker leveraging a malicious HTTP/1 server can desynchronize the strict intermediary and the Mint client on a pooled connection. This enables them to inject bytes into the response queue, leading to corrupt responses for unrelated requests. Versions from 0.1.0 before 1.9.3 are affected. Prompt patching is essential to safeguard applications utilizing this client.
Affected Version(s)
mint 0.1.0 < 1.9.3
mint 60089586ec7adc9fddb09f69a2f5919ba9ac7f33
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
