CVE-2026-49756
LowCVSS 2.1Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
The CRLF Injection vulnerability in the wojtekmach Req library allows multipart parameter smuggling via maliciously modified part metadata. The issue arises from improper neutralization of CRLF sequences in headers built from user-supplied data.
Risk Assessment
Organizations may be exposed to attacks that allow arbitrary headers to be injected into outgoing multipart bodies, potentially leading to unauthorized access or data manipulation. Attackers can also smuggle additional fields and parts into requests sent to downstream services.
Recommendation
It is recommended to update the Req library to version 0.6.0 or later to mitigate this vulnerability. Additionally, implement proper validation and sanitization mechanisms for input data, especially for filenames and MIME types.
Original NVD description (English source)
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing. This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream. This issue affects req: from 0.5.3 before 0.6.0.

