CVE-2026-49756 – Multipart form-data header injection in Req via unescaped name/filename/content_type

CVE ID :CVE-2026-49756

Published : June 8, 2026, 4:16 p.m. | 17 minutes ago

Description :Improper Neutralization of CRLF Sequences (‘CRLF Injection’) vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.

Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing “, r, or n closes the surrounding quoted value and starts a new header line; an additional rn– terminates the current part and prepends a smuggled part of the attacker’s choosing.

This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain r and n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.

This issue affects req: from 0.5.3 before 0.6.0.

Severity: 2.1 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-49975 – Apache HTTP Server: mod_http2 denial of service

CVE-2026-49755 – Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies

CVE-2026-48913 – Apache HTTP Server: mod_http2 memory corruption when file handles exhausted

CVE-2026-48488 – phpMyFAQ has Weak Cryptography – SHA1 for Password Hashing