{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/elixir/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48594"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["tesla (\u003e= 0.6.0, \u003c 1.18.3)"],"_cs_severities":["medium"],"_cs_tags":["resource-exhaustion","denial-of-service","library-vulnerability","elixir"],"_cs_type":"advisory","_cs_vendors":["elixir-tesla"],"content_html":"\u003cp\u003eA high-severity vulnerability, tracked as CVE-2026-48594, exists in the Tesla Elixir HTTP client library, specifically affecting versions 0.6.0 through 1.18.2. This flaw, dubbed a \u0026quot;decompression bomb,\u0026quot; can be exploited by an attacker who controls a server that a vulnerable Tesla client contacts, or via a redirect. The vulnerability arises when the \u003ccode\u003eTesla.Middleware.DecompressResponse\u003c/code\u003e or \u003ccode\u003eTesla.Middleware.Compression\u003c/code\u003e middleware component eagerly decompresses HTTP response bodies without any size limits. An attacker can craft a minuscule gzip-encoded payload coupled with multiple \u003ccode\u003econtent-encoding\u003c/code\u003e headers (e.g., \u003ccode\u003egzip, gzip, gzip, gzip\u003c/code\u003e), which, upon recursive decompression, expands exponentially into gigabytes of data on the BEAM heap. This excessive memory consumption inevitably leads to the client application crashing or freezing, effectively causing a denial of service. Defenders must ensure that applications utilizing the affected \u003ccode\u003etesla\u003c/code\u003e library are patched to version 1.18.3 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control of a server or compromises a legitimate server that a victim's Tesla client application is likely to contact.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the server to serve a specially crafted HTTP response.\u003c/li\u003e\n\u003cli\u003eThe crafted response includes a tiny gzip-compressed payload that is designed to expand significantly upon decompression.\u003c/li\u003e\n\u003cli\u003eCrucially, the response features multiple \u003ccode\u003econtent-encoding\u003c/code\u003e headers, such as \u003ccode\u003egzip, gzip, gzip, gzip\u003c/code\u003e, to trigger recursive decompression.\u003c/li\u003e\n\u003cli\u003eA legitimate application, running an affected \u003ccode\u003etesla\u003c/code\u003e library version (0.6.0 to 1.18.2) and configured with \u003ccode\u003eTesla.Middleware.DecompressResponse\u003c/code\u003e or \u003ccode\u003eTesla.Middleware.Compression\u003c/code\u003e, makes an HTTP request to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etesla\u003c/code\u003e client receives the malicious HTTP response from the attacker's server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edecompress_body/2\u003c/code\u003e function within the \u003ccode\u003etesla\u003c/code\u003e middleware attempts to decompress the response recursively for each \u003ccode\u003econtent-encoding\u003c/code\u003e token, without any output size validation.\u003c/li\u003e\n\u003cli\u003eThis process exponentially inflates the small payload into gigabytes of data within the BEAM heap, exhausting the application's memory resources and causing it to crash or freeze, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-48594 is a denial of service (DoS) for any application utilizing the affected \u003ccode\u003etesla\u003c/code\u003e client library (versions 0.6.0 through 1.18.2) with the \u003ccode\u003eTesla.Middleware.DecompressResponse\u003c/code\u003e or \u003ccode\u003eTesla.Middleware.Compression\u003c/code\u003e middleware. The attacker's objective is to render the targeted application unusable by forcing it to consume all available memory. A successful attack can lead to application downtime, data processing failures, and disruption of critical services, potentially affecting any sector relying on Elixir applications performing HTTP requests with the vulnerable middleware. This vulnerability carries a high severity CVSS v4.0 score of 8.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-48594\u003c/strong\u003e by upgrading the \u003ccode\u003eerlang/tesla\u003c/code\u003e package to version 1.18.3 or later immediately.\u003c/li\u003e\n\u003cli\u003eReview applications for the inclusion of \u003ccode\u003eTesla.Middleware.DecompressResponse\u003c/code\u003e or \u003ccode\u003eTesla.Middleware.Compression\u003c/code\u003e in their Tesla middleware pipeline. If present, ensure they are running patched versions.\u003c/li\u003e\n\u003cli\u003eImplement application-level monitoring for abnormal and sudden increases in memory consumption by Elixir applications, especially those making outbound HTTP requests, to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T00:08:28Z","date_published":"2026-07-10T00:08:28Z","id":"https://feed.craftedsignal.io/briefs/2026-07-tesla-decompression-bomb/","summary":"A critical vulnerability, CVE-2026-48594, in the Tesla Elixir HTTP client library allows an attacker to cause a denial of service by serving a specially crafted HTTP response with multiple `content-encoding` headers that, when processed by vulnerable versions (0.6.0 through 1.18.2) of the client using `Tesla.Middleware.DecompressResponse` or `Tesla.Middleware.Compression`, leads to exponential memory expansion and application crashes.","title":"Tesla Elixir Client Decompression Bomb (CVE-2026-48594)","url":"https://feed.craftedsignal.io/briefs/2026-07-tesla-decompression-bomb/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48595"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["tesla (\u003e= 0.6.0, \u003c 1.18.3)"],"_cs_severities":["high"],"_cs_tags":["credential-access","exfiltration","vulnerability","elixir","http-client"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA high-severity vulnerability, CVE-2026-48595, has been identified in the \u003ccode\u003etesla\u003c/code\u003e Elixir HTTP client library, specifically within its \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e component. This flaw impacts versions 0.6.0 up to, but not including, 1.18.3. The middleware is designed to strip sensitive \u003ccode\u003eAuthorization\u003c/code\u003e headers when following cross-origin redirects to prevent credential leakage. However, its internal filter performs a case-sensitive comparison against a lowercase string \u003ccode\u003e\u0026quot;authorization\u0026quot;\u003c/code\u003e. Because \u003ccode\u003etesla\u003c/code\u003e preserves header keys exactly as supplied, applications using the RFC 7235 canonical casing (\u003ccode\u003e\u0026quot;Authorization\u0026quot;\u003c/code\u003e) bypass this filter entirely. Consequently, if an application sends a request with an \u003ccode\u003eAuthorization\u003c/code\u003e header using canonical casing and is redirected to an attacker-controlled origin, sensitive credentials like bearer tokens can be inadvertently leaked to the attacker. This poses a significant risk to applications relying on \u003ccode\u003etesla\u003c/code\u003e for secure HTTP communications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes control over a web server or service capable of issuing HTTP \u003ccode\u003e302\u003c/code\u003e redirects to an arbitrary, attacker-controlled domain (e.g., a malicious server, a redirect-open service, or a compromised upstream server).\u003c/li\u003e\n\u003cli\u003eA victim application, using the \u003ccode\u003etesla\u003c/code\u003e Elixir HTTP client library (version 0.6.0 through 1.18.2) with \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e enabled, constructs an outbound HTTP request.\u003c/li\u003e\n\u003cli\u003eThe victim application includes an \u003ccode\u003eAuthorization\u003c/code\u003e header with canonical casing (e.g., \u003ccode\u003e{\u0026quot;Authorization\u0026quot;, \u0026quot;Bearer \u0026lt;token\u0026gt;\u0026quot;}\u003c/code\u003e) for authentication in its request.\u003c/li\u003e\n\u003cli\u003eThe victim application sends its request to an endpoint, which the attacker can influence to issue an HTTP \u003ccode\u003e302\u003c/code\u003e (or similar redirect status code) pointing to the attacker-controlled domain.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e component within the victim application attempts to filter sensitive headers before automatically following the redirect.\u003c/li\u003e\n\u003cli\u003eDue to a case-sensitive comparison logic (\u003ccode\u003e\u0026quot;authorization\u0026quot;\u003c/code\u003e vs. \u003ccode\u003e\u0026quot;Authorization\u0026quot;\u003c/code\u003e), the middleware fails to identify and strip the canonical \u003ccode\u003eAuthorization\u003c/code\u003e header from the outgoing request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etesla\u003c/code\u003e client follows the redirect and inadvertently includes the sensitive \u003ccode\u003eAuthorization\u003c/code\u003e header, complete with its bearer token or other credentials, in the request to the attacker-controlled domain, leading to credential theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability carries a high severity (CVSS v4.0: 8.2). Any application utilizing \u003ccode\u003etesla\u003c/code\u003e versions 0.6.0 through 1.18.2 with \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e and supplying non-lowercase \u003ccode\u003eAuthorization\u003c/code\u003e headers is at risk. Successful exploitation results in the leakage of sensitive credentials, such as bearer tokens, to an attacker-controlled endpoint. This can lead to unauthorized access to systems or data, session hijacking, and further compromise of the victim's environment, directly impacting the confidentiality and integrity of affected applications and their users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize upgrading the \u003ccode\u003etesla\u003c/code\u003e Elixir HTTP client library to version 1.18.3 or later immediately to remediate CVE-2026-48595.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, implement the recommended workaround by normalizing all \u003ccode\u003eAuthorization\u003c/code\u003e header keys to lowercase (e.g., \u003ccode\u003e\u0026quot;authorization\u0026quot;\u003c/code\u003e) before passing them to \u003ccode\u003etesla\u003c/code\u003e via \u003ccode\u003eTesla.put_header/3\u003c/code\u003e or \u003ccode\u003eTesla.Middleware.Headers\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview application code for the usage of \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e and how \u003ccode\u003eAuthorization\u003c/code\u003e headers are set to identify potentially vulnerable instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T00:07:45Z","date_published":"2026-07-10T00:07:45Z","id":"https://feed.craftedsignal.io/briefs/2026-07-tesla-header-leak/","summary":"A vulnerability in the `Tesla.Middleware.FollowRedirects` component of the `tesla` Elixir HTTP client library allows `Authorization` headers to be leaked during cross-origin redirects due to a case-sensitive comparison, enabling an attacker controlling a redirect destination to receive bearer tokens or other credentials from applications using `tesla` versions 0.6.0 through 1.18.2.","title":"Tesla Elixir HTTP Client Header Leak via Case-Sensitive Redirect Filtering (CVE-2026-48595)","url":"https://feed.craftedsignal.io/briefs/2026-07-tesla-header-leak/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48597"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["tesla (\u003e= 1.3.0, \u003c 1.18.3)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","elixir","erlang","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["elixir-tesla"],"content_html":"\u003cp\u003eAn unauthenticated attacker can trigger a remote denial-of-service (DoS) condition in applications utilizing the \u003ccode\u003eerlang/tesla\u003c/code\u003e HTTP client library, specifically when configured with \u003ccode\u003eTesla.Adapter.Mint\u003c/code\u003e. This vulnerability, identified as CVE-2026-48597, affects Tesla versions from 1.3.0 up to 1.18.2. The flaw stems from \u003ccode\u003eTesla.Adapter.Mint.open_conn/2\u003c/code\u003e passing untrusted URL schemes directly to \u003ccode\u003eString.to_atom/1\u003c/code\u003e without validation. As BEAM (Erlang Virtual Machine) atoms are permanent and its atom table has a finite capacity of approximately 1,048,576 entries, repeatedly supplying unique, non-standard URL schemes (e.g., \u003ccode\u003eatk1://\u003c/code\u003e, \u003ccode\u003eatk2://\u003c/code\u003e) causes the VM to continuously mint new atoms. This eventually exhausts the atom table, leading to an immediate crash of the Elixir/Erlang VM and consequently, the affected application. This attack requires no special privileges beyond the ability to send HTTP requests to a vulnerable application endpoint that processes user-supplied URLs or leverages \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using \u003ccode\u003eerlang/tesla\u003c/code\u003e versions 1.3.0 through 1.18.2 with \u003ccode\u003eTesla.Adapter.Mint\u003c/code\u003e configured, and which exposes an endpoint that processes user-supplied URLs (e.g., a webhook relay, link preview service, or SSRF-style proxy) or includes \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e in its pipeline.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the vulnerable application, including a URL with a novel, non-standard scheme (e.g., \u003ccode\u003eatk1://attacker.com/path\u003c/code\u003e) in a parameter that the application forwards to the Tesla HTTP client.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTesla.Adapter.Mint.open_conn/2\u003c/code\u003e function receives this untrusted URL and extracts the scheme (e.g., \u0026quot;atk1\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe extracted scheme is passed directly to \u003ccode\u003eString.to_atom/1\u003c/code\u003e, which creates and interns a new, permanent atom in the BEAM VM's atom table.\u003c/li\u003e\n\u003cli\u003eAlthough the \u003ccode\u003eMint\u003c/code\u003e library subsequently rejects the connection attempt due to the unrecognized scheme, the newly created atom persists in the VM's global atom table.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-5, sending approximately 1,000,000 requests, each with a distinct and previously unused URL scheme (e.g., \u003ccode\u003eatk2://\u003c/code\u003e, \u003ccode\u003eatk3://\u003c/code\u003e, etc.).\u003c/li\u003e\n\u003cli\u003eUpon reaching the BEAM VM's atom table capacity limit (roughly 1,048,576 entries), the \u003ccode\u003eString.to_atom/1\u003c/code\u003e call fails, leading to a fatal error that crashes the entire Elixir/Erlang VM.\u003c/li\u003e\n\u003cli\u003eThe application hosting the Tesla client becomes unavailable, resulting in a remote denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis high-severity vulnerability (CVSS v4.0: 8.2) allows an unauthenticated attacker to remotely trigger a complete denial of service for any application using \u003ccode\u003eerlang/tesla\u003c/code\u003e versions 1.3.0 through 1.18.2 with the \u003ccode\u003eTesla.Adapter.Mint\u003c/code\u003e adapter. The attack results in a crash of the underlying BEAM Virtual Machine, making the affected application entirely unavailable. No specific victim count or targeted sectors have been publicly identified, but any Elixir application fitting the criteria that processes untrusted URL input is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch \u003ccode\u003eerlang/tesla\u003c/code\u003e to version 1.18.3 or later immediately to remediate CVE-2026-48597.\u003c/li\u003e\n\u003cli\u003eReview any application features that forward untrusted URLs through \u003ccode\u003eTesla.Adapter.Mint\u003c/code\u003e and implement robust input validation or allow-listing for URL schemes before passing them to the Tesla client.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e is used in conjunction with untrusted inputs, ensure that redirect targets are properly validated and schemes are restricted to \u003ccode\u003ehttp(s)\u003c/code\u003e to prevent exploitation via malicious \u003ccode\u003eLocation\u003c/code\u003e headers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T00:07:00Z","date_published":"2026-07-10T00:07:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-tesla-atom-exhaustion/","summary":"A high-severity denial-of-service vulnerability (CVE-2026-48597) in the `Tesla.Adapter.Mint` component of the Elixir Tesla HTTP client library, affecting versions 1.3.0 through 1.18.2, allows an unauthenticated attacker to crash the underlying BEAM VM by supplying untrusted URL schemes, leading to atom exhaustion.","title":"Tesla HTTP Client Library Vulnerable to Atom Exhaustion Leading to Denial of Service (CVE-2026-48597)","url":"https://feed.craftedsignal.io/briefs/2026-07-tesla-atom-exhaustion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-49754"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mint (\u003c 1.9.0)"],"_cs_severities":["medium"],"_cs_tags":["http/2","denial-of-service","vulnerability","elixir","mint"],"_cs_type":"advisory","_cs_vendors":["Elixir Mint"],"content_html":"\u003cp\u003eThe Elixir Mint HTTP/2 client is vulnerable to a denial-of-service attack (CVE-2026-49754) due to an unbounded accumulation of \u003ccode\u003eCONTINUATION\u003c/code\u003e header-block fragments. This vulnerability, disclosed by GHSA, allows a malicious or compromised HTTP/2 server to exhaust the client's memory. By streaming an endless sequence of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames following an initial \u003ccode\u003eHEADERS\u003c/code\u003e frame that lacks the \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag, an attacker can drive the client's process memory to arbitrary size. This flaw affects Mint versions prior to 1.9.0 and requires no specific client-side configuration, making the default Mint client susceptible. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient to trigger memory exhaustion and ultimately crash the BEAM process, resulting in a remote, unauthenticated denial-of-service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA victim application using the Elixir Mint HTTP/2 client establishes an HTTP/2 connection to a server.\u003c/li\u003e\n\u003cli\u003eThe client sends an HTTP/2 \u003ccode\u003eHEADERS\u003c/code\u003e frame as part of a request to the server.\u003c/li\u003e\n\u003cli\u003eAn attacker-controlled or compromised HTTP/2 server receives the client's request.\u003c/li\u003e\n\u003cli\u003eThe malicious server responds to the client's request by sending a \u003ccode\u003eHEADERS\u003c/code\u003e frame on stream 1, deliberately setting \u003ccode\u003eflags = 0\u003c/code\u003e (omitting \u003ccode\u003eEND_HEADERS\u003c/code\u003e and \u003ccode\u003eEND_STREAM\u003c/code\u003e) and including an empty header-block fragment.\u003c/li\u003e\n\u003cli\u003eThe malicious server then continuously streams \u003ccode\u003eCONTINUATION\u003c/code\u003e frames on stream 1, each with \u003ccode\u003eflags = 0\u003c/code\u003e and a payload up to the peer-advertised \u003ccode\u003eSETTINGS_MAX_FRAME_SIZE\u003c/code\u003e, never setting \u003ccode\u003eEND_HEADERS\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Mint client's HTTP/2 receive path, specifically the \u003ccode\u003e'Elixir.Mint.HTTP2':handle_continuation/3\u003c/code\u003e function, continuously appends these \u003ccode\u003eCONTINUATION\u003c/code\u003e fragments to the \u003ccode\u003econn.headers_being_processed\u003c/code\u003e buffer.\u003c/li\u003e\n\u003cli\u003eDue to the absence of per-stream size caps or \u003ccode\u003eCONTINUATION\u003c/code\u003e frame-count caps, the client's process memory grows linearly and uncontrollably with the incoming flood of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eThe unbounded memory growth eventually leads to memory exhaustion and an Out-Of-Memory (OOM) error, causing the entire Elixir BEAM process running the Mint client to crash, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-49754 results in a remote, unauthenticated denial-of-service against any application utilizing the Elixir Mint HTTP/2 client to connect to an untrusted or attacker-influenced server. A single connection is sufficient for an attacker to drive the client's memory to an arbitrary size, leading to the crash of the underlying BEAM process. This can incapacitate critical services or applications relying on Mint for HTTP/2 communication, causing significant operational disruption and data unavailability. The default Mint configuration is vulnerable, requiring no specific client-side opt-in for exploitation. The vulnerability has been scored CVSS v4.0 8.2 (HIGH).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Elixir Mint library to version 1.9.0 or later to patch CVE-2026-49754.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, restrict Mint to HTTP/1 for connections to untrusted servers by passing \u003ccode\u003eprotocols: [:http1]\u003c/code\u003e to \u003ccode\u003e'Elixir.Mint.HTTP':connect/4\u003c/code\u003e to avoid the vulnerable HTTP/2 receive path, as outlined in the workarounds.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T23:21:55Z","date_published":"2026-07-09T23:21:55Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mint-http2-continuation-flood/","summary":"A malicious or compromised HTTP/2 server can exploit CVE-2026-49754 in the Elixir Mint HTTP/2 client by sending an endless chain of CONTINUATION frames without an END_HEADERS flag, leading to unbounded memory accumulation, process exhaustion, and remote unauthenticated denial-of-service.","title":"Mint HTTP/2 Client Vulnerable to Unbounded CONTINUATION Frame Accumulation (CVE-2026-49754)","url":"https://feed.craftedsignal.io/briefs/2026-07-mint-http2-continuation-flood/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48862"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mint (\u003e= 0.2.0, \u003c 1.9.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","http/2","elixir","client-side","vulnerability"],"_cs_type":"advisory","_cs_vendors":["elixir-mint"],"content_html":"\u003cp\u003eElixir-Mint HTTP/2 client versions 0.2.0 through 1.8.x are vulnerable to a remote, unauthenticated denial-of-service attack, identified as CVE-2026-48862. A hostile or compromised HTTP/2 server can leverage this vulnerability by sending an excessive number of \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frames without following up with the matching \u003ccode\u003eHEADERS\u003c/code\u003e. Mint's client, by default, accepts \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frames and inserts entries into an internal connection stream map without properly enforcing the \u003ccode\u003emax_concurrent_streams\u003c/code\u003e limit, causing the map to grow indefinitely. This unbounded growth leads to linear memory consumption within the client process, eventually resulting in an out-of-memory (OOM) crash and denying service. This vulnerability affects any application using Mint as an HTTP/2 client, especially those connecting to untrusted or attacker-influenced servers, such as web backends, webhook delivery systems, and proxy components.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or compromised HTTP/2 server establishes a long-lived HTTP/2 connection with a vulnerable Mint client.\u003c/li\u003e\n\u003cli\u003eThe Mint client sends its initial request \u003ccode\u003eHEADERS\u003c/code\u003e for a specific odd stream ID.\u003c/li\u003e\n\u003cli\u003eThe malicious server captures the client's request stream ID.\u003c/li\u003e\n\u003cli\u003eThe malicious server then sends a rapid flood of \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frames, each associated with the client's request stream ID.\u003c/li\u003e\n\u003cli\u003eEach \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frame specifies a new, unique even stream ID and carries a minimal HPACK-encoded header block.\u003c/li\u003e\n\u003cli\u003eThe Mint client processes each \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frame, adding a \u003ccode\u003e:reserved_remote\u003c/code\u003e entry into its \u003ccode\u003econn.streams\u003c/code\u003e map for every promised stream ID without consulting \u003ccode\u003emax_concurrent_streams\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious server intentionally withholds the corresponding response \u003ccode\u003eHEADERS\u003c/code\u003e for all the promised stream IDs.\u003c/li\u003e\n\u003cli\u003eAs the \u003ccode\u003econn.streams\u003c/code\u003e map grows linearly with each unfulfilled \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frame, the Mint client's process consumes an increasing amount of memory until it crashes due to an Out-Of-Memory (OOM) error.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-48862 results in a remote, unauthenticated denial-of-service against any process utilizing Mint as an HTTP/2 client when connecting to an untrusted or attacker-controlled server. Since HTTP/2 server push is enabled by default in Mint, no specific application opt-in is required for the vulnerability to be exploitable. Affected systems include outbound HTTP/2 clients in web backends, webhook delivery services, data scrapers, federated components, and proxy services that interact with external HTTP/2 origins. An attacker can crash the client process, rendering the service unavailable and potentially requiring manual intervention to restore.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all affected Mint HTTP/2 clients to version 1.9.0 or newer immediately to mitigate CVE-2026-48862.\u003c/li\u003e\n\u003cli\u003eFor systems that cannot be immediately upgraded, disable HTTP/2 server push on connections to untrusted servers by explicitly passing \u003ccode\u003eclient_settings: [enable_push: false]\u003c/code\u003e to the \u003ccode\u003e'Elixir.Mint.HTTP':connect/4\u003c/code\u003e function as a workaround for CVE-2026-48862.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T23:21:09Z","date_published":"2026-07-09T23:21:09Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mint-dos/","summary":"A malicious or compromised HTTP/2 server can exploit CVE-2026-48862 in Mint HTTP/2 clients by flooding them with PUSH_PROMISE frames and withholding corresponding HEADERS, leading to unbounded memory consumption and denial-of-service.","title":"Mint HTTP/2 Client Unbounded Stream Map Growth Denial-of-Service (CVE-2026-48862)","url":"https://feed.craftedsignal.io/briefs/2026-07-mint-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Elixir","version":"https://jsonfeed.org/version/1.1"}