CVE-2026-59249 in mint
Summary
by MITRE • 07/16/2026
Inconsistent interpretation of HTTP requests (HTTP response smuggling) vulnerability in elixir-mint mint allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that share the connection.
The Mint.HTTP1.decode_body/5 function in lib/mint/http1.ex parses the chunk-size line of a Transfer-Encoding: chunked response with Integer.parse(data, 16). RFC 7230 defines chunk-size = 1*HEXDIG and forbids any sign prefix, but Integer.parse/2 accepts an optional leading + or -. A chunk-size line of +5 is accepted as a five-byte chunk; lines of +0 and -0 are accepted as the terminating zero-length chunk and end the message body early.
An RFC-strict intermediary in the response path rejects these forms, so the intermediary and the Mint client disagree on where one response ends and the next begins. On a pooled keep-alive connection, an attacker-influenced origin can inject bytes that the client attributes to the next legitimate response on the same connection, poisoning the response queue and corrupting the responses returned to unrelated in-flight requests.
This issue affects mint: from 0.1.0 before 1.9.3.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability described represents a critical HTTP response smuggling flaw in the elixir-mint library that exploits inconsistencies in HTTP/1.1 request interpretation. This security weakness specifically targets the Mint.HTTP1.decode_body/5 function which processes Transfer-Encoding: chunked responses by parsing chunk-size lines using Integer.parse(data, 16). The core technical flaw stems from the deviation between RFC 7230 compliance and the implementation's handling of hexadecimal numeric values. According to RFC 7230 specification, chunk-size must consist of one or more hexadecimal digits without any sign prefixes as defined by chunk-size = 1*HEXDIG, yet the Integer.parse/2 function accepts optional leading + or - characters that violate this standard. This discrepancy creates a fundamental mismatch where legitimate HTTP servers that strictly adhere to RFC 7230 reject malformed chunk-size values while Mint clients accept them, leading to protocol desynchronization.
The operational impact of this vulnerability manifests through connection-level response queue poisoning on pooled keep-alive connections. When an attacker controls an HTTP/1 server that shares the same connection with legitimate requests, they can inject specially crafted chunk-size lines such as "+5" which Mint interprets as a five-byte chunk, or "+0" and "-0" which are accepted as terminating zero-length chunks. This premature termination causes the client to believe a response has ended when it actually continues, creating a desynchronization state where subsequent requests on the same connection become corrupted. The poisoned response queue affects not just the malicious request but also unrelated in-flight requests that share the same pooled connection, potentially exposing sensitive data or enabling further attack vectors through response manipulation.
This vulnerability directly maps to CWE-444 and CWE-1287 classifications within the Common Weakness Enumeration framework, representing a failure to properly validate input according to protocol specifications. The issue also aligns with ATT&CK technique T1071.004 for application layer protocol manipulation and T1566 for malicious code injection through HTTP responses. The root cause lies in the improper parsing of chunk-size values that should strictly follow RFC 7230 but instead accept non-conforming syntax. Attackers can leverage this weakness to perform response smuggling attacks by injecting bytes that appear as part of legitimate responses, causing downstream clients to process corrupted data streams. The vulnerability's impact is particularly severe in environments using connection pooling since a single malicious response can compromise multiple subsequent requests sharing the same connection.
The recommended mitigations include upgrading to mint version 1.9.3 or later where this parsing issue has been resolved through stricter adherence to RFC 7230 specifications. Security teams should implement monitoring for unusual chunk-size patterns in HTTP responses, particularly those containing leading signs, and establish proper input validation at the network level to filter out malformed requests before they reach the Mint client. Additionally, organizations using connection pooling should consider implementing more robust connection management policies that minimize the risk of cross-request contamination, including reducing connection reuse timeframes or implementing per-request connection isolation where feasible. The fix ensures that chunk-size parsing strictly conforms to RFC 7230 requirements by rejecting any sign prefixes and maintaining consistent interpretation between intermediaries and client implementations.