Jul 10, 2026·6 min read·6 visits
An unauthenticated, remote attacker can crash any Elixir application utilizing the Mint client library to establish HTTP/2 connections by hosting a malicious server that streams an infinite series of HTTP/2 CONTINUATION frames.
An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.
The Mint library is an HTTP/1 and HTTP/2 client for Elixir, widely used within the Erlang Ecosystem for low-level protocol management. During HTTP/2 processing, Mint relies on a state machine to parse incoming streams. One of the core mechanics of HTTP/2 is frame-based multiplexing, which includes dividing large header sets across multiple frames using the CONTINUATION frame format.
Under normal execution, if a HEADERS or PUSH_PROMISE frame exceeds the maximum allowed payload size, the server clears the END_HEADERS flag and transmits the remaining block inside successive CONTINUATION frames. The client is obligated to buffer these unparsed fragments until it receives a CONTINUATION frame containing the END_HEADERS flag. This design introduces an attack surface where a peer can send frames indefinitely without closing the sequence.
In vulnerable versions of Mint (versions 0.1.0 up to 1.9.0), the parser did not enforce boundaries on the size or count of incoming CONTINUATION frames. This omission allows an attacker-controlled server to trigger a denial of service (DoS). A single connection to an attacker-controlled HTTP/2 endpoint is sufficient to exhaust the memory of the client host, causing a crash of the entire Erlang Virtual Machine.
The root cause of CVE-2026-49754 is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). When the Mint HTTP/2 engine processes a HEADERS frame without the END_HEADERS flag, it initiates a holding structure in the connection state. The unparsed fragment is saved in the conn.headers_being_processed tuple, awaiting the completion of the header block.
For each subsequent CONTINUATION frame received on that stream, Mint appends the new raw binary data to an accumulator list (iolist). The state machine relies on the default value of the :max_header_list_size configuration to define processing boundaries. In vulnerable releases, this configuration defaulted to :infinity for the receive path, and validation was only performed on outbound requests rather than inbound header blocks.
Because the receiver lacks an upper bound checking mechanism during accumulation, an attacker can stream an endless sequence of CONTINUATION frames. Each frame can contain up to the maximum negotiated payload size, typically 16 KiB. As the client process structures these pieces into an internal nested list, the memory consumption of the host Erlang VM process grows linearly with each frame, eventually triggering a kernel-level out-of-memory (OOM) termination.
The vulnerability manifests in how the receive state machine updates the state when receiving consecutive chunks. The original, vulnerable parsing implementation dynamically grew the connection state list without computing size limits.
# Vulnerable code structure in Mint.HTTP2
{^stream_id, hbf_acc, callback} = conn.headers_being_processed
if flag_set?(flags, :continuation, :end_headers) do
hbf = IO.iodata_to_binary([hbf_acc, hbf_chunk])
conn = put_in(conn.headers_being_processed, nil)
callback.(conn, responses, hbf, stream)
else
# Vulnerability: Unbounded accumulation of chunks into the connection state
conn = put_in(conn.headers_being_processed, {stream_id, [hbf_acc, hbf_chunk], callback})
{conn, responses}
endThe patched version introduces a tuple containing four elements: {stream_id, hbf_acc, callback, acc_size}. The implementation now explicitly calculates the cumulative byte size in $O(1)$ time complexity for every incoming frame chunk.
# Patched code structure in Mint.HTTP2
{^stream_id, hbf_acc, callback, acc_size} = conn.headers_being_processed
if flag_set?(flags, :continuation, :end_headers) do
hbf = IO.iodata_to_binary([hbf_acc, hbf_chunk])
conn = put_in(conn.headers_being_processed, nil)
callback.(conn, responses, hbf, stream)
else
new_size = acc_size + byte_size(hbf_chunk)
# Validation is enforced immediately on each chunk arrival
conn = assert_header_block_within_max_size(conn, new_size)
conn = put_in(
conn.headers_being_processed,
{stream_id, [hbf_acc, hbf_chunk], callback, new_size}
)
{conn, responses}
endThe check evaluates the current accumulator size against the locally defined max_header_list_size value. By default, this value has been changed from :infinity to 256 KB. If the total byte size exceeds this threshold, the connection terminates with a protocol error, preventing memory exhaustion.
Exploiting CVE-2026-49754 requires that a vulnerable Mint client establish an outbound HTTP/2 connection to an attacker-controlled endpoint. No administrative credentials or previous authentications are required. The attack succeeds purely based on protocol-level frame delivery.
Once the client initiates a request, the malicious server responds by sending a HEADERS frame without the END_HEADERS flag set. The server then streams a continuous loop of standard HTTP/2 CONTINUATION frames. Each frame contains maximum payload data, typically formatted as arbitrary or structured bytes. The server purposely avoids transmitting the END_HEADERS flag inside any subsequent frames.
Because the victim's client parser accumulates all payloads into the heap of the active connection process, memory exhaustion occurs rapidly. Laboratory replication reveals that sending approximately 64,000 frames (each containing 16 KiB of dummy payload) consumes over 1 GiB of RAM within seconds. The high rate of frame generation allows an attacker to quickly exhaust system memory and crash the client process.
The impact of CVE-2026-49754 is a complete loss of client availability. Because the Erlang Runtime System (BEAM) executes multiple concurrent applications and supervisors on a single VM, a crash in the low-level HTTP client process can propagate, leading to the termination of the entire system.
The vulnerability is highly critical for Elixir systems that query untrusted third-party services, perform web scraping, or parse outbound webhooks. An adversary can trigger a crash across an entire cluster of microservices by returning a crafted response to an outbound API call.
There is no risk to data integrity or confidentiality, as the bug does not allow arbitrary code execution, file disclosure, or privilege escalation. The CVSS 4.0 score of 8.2 reflects this high impact on availability, combined with low attack complexity.
To resolve the vulnerability, developers must upgrade the mint dependency in their Mix configuration to version 1.9.0 or later. This version enforces strict bounds checking and changes the default maximum header block size from :infinity to 256 KB.
If upgrading is not immediately possible, applications can work around the vulnerability by forcing connections to use HTTP/1.1 when talking to untrusted servers. The HTTP/1.1 parsing engine in Mint does not use the vulnerable multi-frame accumulation logic. This is achieved by passing the :protocols option explicitly.
# Workaround: Restrict connections to HTTP/1.1
Mint.HTTP.connect(:https, "untrusted-api.com", 443, protocols: [:http1])Security teams can deploy intrusion detection system (IDS) rules at the network perimeter to identify sessions with abnormal ratio balances of HTTP/2 CONTINUATION frames. Additionally, reverse proxies or web application firewalls (WAFs) can be placed in front of client outbound traffic to enforce strict HTTP/2 frame validation.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N| Product | Affected Versions | Fixed Version |
|---|---|---|
mint elixir-mint | >= 0.1.0, < 1.9.0 | 1.9.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-770 |
| Attack Vector | Network |
| CVSS v4.0 Score | 8.2 (High) |
| Exploit Maturity | Proof-of-Concept (PoC) |
| EPSS Score | 0.00384 |
| CISA KEV Status | Not Listed |
The application allocates memory or other resources without checking or restricting the total size, allowing an attacker to exhaust system resources.
CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.
An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.
CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.
An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.
A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.
CVE-2026-48597 is a high-severity Denial of Service (DoS) vulnerability in the Elixir HTTP client library Tesla (specifically involving the Mint adapter) that allows an unauthenticated remote attacker to cause an unrecoverable crash of the Erlang Virtual Machine (BEAM). The flaw arises from the dynamic conversion of untrusted URL schemes into Erlang atoms without validation, leading to global atom table exhaustion.