PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59249 elixir-mint CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T12:18:07.170Z and has not been modified since then. This CVE record details an inconsistent interpretation of HTTP requests (HTTP response smuggling) vulnerability in elixir-mint mint. The vulnerability allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that share the connection.

Vendor
elixir-mint
Product
mint
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of elixir-mint mint versions from 0.1.0 before 1.9.3 should review and apply patches to prevent HTTP response smuggling attacks. System administrators, security teams, and developers using the affected mint library should assess their exposure and take necessary actions.

Technical summary

The Mint.HTTP1.decode_body/5 function in lib/mint/http1.ex incorrectly parses chunk-size lines with leading + or - signs, allowing an attacker to desynchronize a strict intermediary and the Mint client on a pooled connection, enabling response-queue poisoning. This issue affects mint: from 0.1.0 before 1.9.3. The vulnerability allows a malicious HTTP/1 server to inject bytes that the client attributes to the next legitimate response on the same connection, poisoning the response queue and corrupting the responses returned to unrelated in-flight requests. Users should review and apply patches to prevent HTTP response smuggling attacks. The issue arises from Integer.parse(data, 16) accepting an optional leading + or -, contrary to RFC 7230 which defines chunk-size as 1*HEXDIG and forbids any sign prefix.

Defensive priority

Medium priority due to CVSS score of 6.3 and potential for response-queue poisoning attacks.

Recommended defensive actions

  • Review and apply patches for elixir-mint mint versions from 0.1.0 before 1.9.3
  • Verify and update inventory of affected systems
  • Monitor for suspicious HTTP requests and responses
  • Consider implementing compensating controls for HTTP response smuggling attacks
  • Review system configurations and patch applicability
  • Track exceptions and retest remediated assets

Evidence notes

Evidence is based on official CVE record and source references. Limited detail available on affected scope and vendor remediation. Defenders should verify system configurations, review patch applicability, and monitor for suspicious HTTP requests and responses.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T12:18:07.170Z and has not been modified since then.