CVE-2026-48598

Description

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue. This issue affects tesla: from 0.8.0 before 1.18.3.

Source: NVD

References

• [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-48598
• [Other]https://cna.erlef.org/cves/CVE-2026-48598.html
• [Other]https://github.com/elixir-tesla/tesla/commit/bb1a2c3da2775924d96e3db8e315dcc4d5d2246e
• [Other]https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4
• [Other]https://osv.dev/vulnerability/EEF-CVE-2026-48598
• [Other]https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4

Related CVEs