PatchSiren cyber security CVE debrief
CVE-2026-59249 elixir-mint CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T12:18:07.170Z and has not been modified since then. This CVE record details an inconsistent interpretation of HTTP requests (HTTP response smuggling) vulnerability in elixir-mint mint. The vulnerability allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that share the connection.
- Vendor
- elixir-mint
- Product
- mint
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of elixir-mint mint versions from 0.1.0 before 1.9.3 should review and apply patches to prevent HTTP response smuggling attacks. System administrators, security teams, and developers using the affected mint library should assess their exposure and take necessary actions.
Technical summary
The Mint.HTTP1.decode_body/5 function in lib/mint/http1.ex incorrectly parses chunk-size lines with leading + or - signs, allowing an attacker to desynchronize a strict intermediary and the Mint client on a pooled connection, enabling response-queue poisoning. This issue affects mint: from 0.1.0 before 1.9.3. The vulnerability allows a malicious HTTP/1 server to inject bytes that the client attributes to the next legitimate response on the same connection, poisoning the response queue and corrupting the responses returned to unrelated in-flight requests. Users should review and apply patches to prevent HTTP response smuggling attacks. The issue arises from Integer.parse(data, 16) accepting an optional leading + or -, contrary to RFC 7230 which defines chunk-size as 1*HEXDIG and forbids any sign prefix.
Defensive priority
Medium priority due to CVSS score of 6.3 and potential for response-queue poisoning attacks.
Recommended defensive actions
- Review and apply patches for elixir-mint mint versions from 0.1.0 before 1.9.3
- Verify and update inventory of affected systems
- Monitor for suspicious HTTP requests and responses
- Consider implementing compensating controls for HTTP response smuggling attacks
- Review system configurations and patch applicability
- Track exceptions and retest remediated assets
Evidence notes
Evidence is based on official CVE record and source references. Limited detail available on affected scope and vendor remediation. Defenders should verify system configurations, review patch applicability, and monitor for suspicious HTTP requests and responses.
Official resources
-
CVE-2026-59249 CVE record
CVE.org
-
CVE-2026-59249 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T12:18:07.170Z and has not been modified since then.