Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

EEF-CVE-2026-48596

Low CVSS: 2.1
Permalink JSON

CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection

Affected Packages Affected Versions Fixed Versions
hex:tesla >= 0.8.0, < 1.18.3 1.18.3
574 Dependent packages
1,212 Dependent repositories
71,937,402 Downloads total

Affected Version Ranges

All affected versions

0.8.0, 0.9.0, 0.10.0, 1.0.0, 1.0.0-beta.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.17.0, 1.18.0, 1.18.1, 1.18.2

All unaffected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.1, 0.2.2, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 1.18.3, 1.20.0

Potentially Affected Packages

These packages share the same source repository and may be affected by this vulnerability, but are not listed in the advisory.

Package Ecosystem Latest Version Classification
github.com/elixir-tesla/tesla go Repackage

Summary

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2.

Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\r) or LF (\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing \r\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected.

This issue affects tesla: from 0.8.0 before 1.18.3.

Workaround

Validate content-type parameter strings before passing them to Tesla.Multipart.add_content_type_param/2, rejecting any value that contains \r or \n.

Configuration

The application must pass untrusted input into Tesla.Multipart.add_content_type_param/2.

References:

Identifiers

EEF-CVE-2026-48596

GHSA-q7jx-v53g-848w

CVE-2026-48596

Risk

Severity

Low

CVSS

CVSS Score: 2.1

CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Source

Erlang Ecosystem Foundation

Origin

Erlef

Repository

https://github.com/elixir-tesla/tesla
View on Ecosyste.ms

Date and time

Published

13 days ago

Updated

12 days ago

API

JSON