Current section

8 Advisories

Jump to
EEF-CVE-2026-59249 CVE-2026-59249 GHSA-x3x7-96vm-6h2w

Sign-tolerant HTTP/1 chunk-size parser in Mint enables response smuggling against strict intermediaries on pooled connections

July 16, 2026
CVSS
?
6.3 / 10.0 Medium
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Versions

>= 0.1.0 and < 1.9.3
EEF-CVE-2026-59246 CVE-2026-59246 GHSA-8pf6-g464-h6h9

Zero-length HTTP/2 CONTINUATION frames bypass Mint's header-block byte-size cap and exhaust client memory

July 14, 2026
CVSS
?
6.3 / 10.0 Medium
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Versions

>= 0.1.0 and < 1.9.2
EEF-CVE-2026-58229 CVE-2026-58229 GHSA-qrfr-wh4c-3qhw

Unbounded HTTP/1 response-header and chunked-trailer accumulation in Mint causes memory-exhaustion DoS

July 14, 2026
CVSS
?
8.2 / 10.0 High
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 0.1.0 and < 1.9.2

Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency

June 02, 2026

HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation

June 02, 2026

HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing

June 02, 2026
EEF-CVE-2026-56810 CVE-2026-56810 GHSA-c59h-fq4p-r36r

mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5

July 06, 2026
CVSS
?
8.7 / 10.0 High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 0.5.0 and < 1.9.1

Checksum

Dependency Config

mix.exs

rebar.config

Gleam

erlang.mk

Package Details

Downloads Last 30 days, all versions
0 20K 40K 60K 80K

this version

0

yesterday

64 176

last 7 days

348 889

all time

61 837 690

Last Updated

Jul 16, 2026

License

Apache-2.0

Build Tools

mix

Publisher

whatyouhide whatyouhide

Links