{"id":3663701,"name":"mint","ecosystem":"hex","description":"Small and composable HTTP client.","homepage":null,"licenses":"Apache-2.0","normalized_licenses":["Apache-2.0"],"repository_url":"https://github.com/elixir-mint/mint","keywords_array":[],"namespace":null,"versions_count":24,"first_release_published_at":"2019-02-25T16:40:28.753Z","latest_release_published_at":"2026-06-02T14:03:07.242Z","latest_release_number":"1.9.0","last_synced_at":"2026-06-03T00:20:11.077Z","created_at":"2022-04-11T10:07:35.482Z","updated_at":"2026-06-03T19:00:18.834Z","registry_url":"https://hex.pm/packages/mint/","install_command":"mix hex.package fetch mint ","documentation_url":"http://hexdocs.pm/mint/","metadata":{},"repo_metadata":{"id":27095526,"uuid":"108273415","full_name":"elixir-mint/mint","owner":"elixir-mint","description":"Functional HTTP client for Elixir with support for HTTP/1 and HTTP/2 🌱","archived":false,"fork":false,"pushed_at":"2024-08-15T08:07:22.000Z","size":1086,"stargazers_count":1371,"open_issues_count":9,"forks_count":112,"subscribers_count":30,"default_branch":"main","last_synced_at":"2024-10-29T14:03:39.704Z","etag":null,"topics":["elixir","elixir-http","elixir-lang","elixir-language","http","http-client","http2"],"latest_commit_sha":null,"homepage":"","language":"Elixir","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/elixir-mint.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-10-25T13:22:12.000Z","updated_at":"2024-10-28T07:44:05.000Z","dependencies_parsed_at":"2023-02-12T21:00:16.037Z","dependency_job_id":"f0bcd32e-34e8-44d8-b4b0-a40e0a5207c2","html_url":"https://github.com/elixir-mint/mint","commit_stats":{"total_commits":455,"total_committers":53,"mean_commits":8.584905660377359,"dds":0.4483516483516483,"last_synced_commit":"301b77910b131541c11ef8b34d8d6f6b7c0583d1"},"previous_names":["ericmj/mint"],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elixir-mint","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222100900,"owners_count":16931671,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"elixir-mint","name":"Elixir Mint","uuid":"57103105","kind":"organization","description":"","email":null,"website":null,"location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/57103105?v=4","repositories_count":4,"last_synced_at":"2023-02-28T04:45:42.606Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/elixir-mint","funding_links":[],"total_stars":null,"followers":null,"following":null,"created_at":"2022-11-11T09:23:18.813Z","updated_at":"2023-02-28T04:45:42.609Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elixir-mint","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elixir-mint/repositories"},"tags":[{"name":"v1.6.2","sha":"5d0c6e9aba84618a7fd374cfa49ad392d2125061","kind":"tag","published_at":"2024-07-01T15:50:01.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.6.2","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.6.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.6.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.6.2/manifests"},{"name":"v1.6.1","sha":"b0fa808400e183112112409188287d18e23b85fe","kind":"tag","published_at":"2024-06-10T08:17:30.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.6.1","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.6.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.6.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.6.1/manifests"},{"name":"v1.6.0","sha":"43db9a81333ca16372bb4f52484b308b6d8073a8","kind":"tag","published_at":"2024-04-22T09:04:39.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.6.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.6.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.6.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.6.0/manifests"},{"name":"v1.5.2","sha":"7bb9ee7b6cbda479bab0031ddacff2cb515156a2","kind":"tag","published_at":"2023-12-11T11:10:04.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.5.2","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.5.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.5.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.5.2/manifests"},{"name":"v1.5.1","sha":"a20250331a1cbf4086cceca92b6b3a7b0b3fc349","kind":"tag","published_at":"2023-03-03T15:53:17.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.5.1","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.5.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.5.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.5.1/manifests"},{"name":"v1.5.0","sha":"9d5d883116c0c3f834be31e4bfa73b1fa986e48f","kind":"tag","published_at":"2023-03-01T15:50:36.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.5.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.5.0/manifests"},{"name":"v1.4.2","sha":"1e70ccffbcce6f4d601661f22a700e001ce8e475","kind":"tag","published_at":"2022-06-13T12:29:51.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.4.2","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.4.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.4.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.4.2/manifests"},{"name":"v1.4.1","sha":"80ecfad07dfcefd70d3c729624f7ae3c147ae052","kind":"tag","published_at":"2022-02-17T07:17:09.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.4.1","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.4.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.4.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.4.1/manifests"},{"name":"v1.4.0","sha":"367230ff0565df69125f93204fcb496774bf69a9","kind":"commit","published_at":"2021-09-12T14:20:29.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.4.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.4.0/manifests"},{"name":"v1.3.0","sha":"976ba34d5b631d82274fc04b61f3c310bf8655c3","kind":"commit","published_at":"2021-05-04T14:37:19.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.3.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.3.0/manifests"},{"name":"v1.2.1","sha":"d9a60c8b206a8c4f5da829ca1ab87007453b1e1e","kind":"tag","published_at":"2021-02-05T10:10:21.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.2.1","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.2.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.2.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.2.1/manifests"},{"name":"v1.2.0","sha":"7d0c67be82dfc231e4e8c806c518b64ebd4215cf","kind":"tag","published_at":"2020-10-02T07:36:07.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.2.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.2.0/manifests"},{"name":"v1.1.0","sha":"e07765897ce10d6b305da111f674c0148431f674","kind":"tag","published_at":"2020-05-19T17:48:21.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.1.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.1.0/manifests"},{"name":"v1.0.0","sha":"babd4fd98c1a3695a0be531f702128dbef44f3b8","kind":"tag","published_at":"2019-10-28T14:44:37.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v1.0.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v1.0.0/manifests"},{"name":"v0.5.0","sha":"d135bbdcfcec041fa3a9b22a3b6f4546e84f4f7b","kind":"tag","published_at":"2019-10-28T14:44:15.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v0.5.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v0.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v0.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v0.5.0/manifests"},{"name":"v0.4.0","sha":"38460a016ff1a44749c854e227d00208bc8f7d2f","kind":"tag","published_at":"2019-07-17T15:43:52.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v0.4.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v0.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v0.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v0.4.0/manifests"},{"name":"v0.2.1","sha":"c21ef936840e4a9a66b9f1dbb43e94f1e338b3a3","kind":"tag","published_at":"2019-04-23T21:46:11.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v0.2.1","html_url":"https://github.com/elixir-mint/mint/releases/tag/v0.2.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v0.2.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v0.2.1/manifests"},{"name":"v0.2.0","sha":"8d3152c6409146b861b800a1fc804fff24f4a226","kind":"tag","published_at":"2019-04-09T14:01:29.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v0.2.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v0.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v0.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v0.2.0/manifests"},{"name":"v0.1.0","sha":"47889857fb36f07606ad9c2e52080d202d419058","kind":"tag","published_at":"2019-02-26T08:03:30.000Z","download_url":"https://codeload.github.com/elixir-mint/mint/tar.gz/v0.1.0","html_url":"https://github.com/elixir-mint/mint/releases/tag/v0.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v0.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/tags/v0.1.0/manifests"}]},"repo_metadata_updated_at":"2024-11-11T01:57:34.406Z","dependent_packages_count":83,"downloads":59806656,"downloads_period":"total","dependent_repos_count":195,"rankings":{"downloads":0.7001091913417689,"dependent_repos_count":0.9762990558160447,"dependent_packages_count":0.3211510052026463,"stargazers_count":0.5780718093647633,"forks_count":1.747061468302396,"docker_downloads_count":1.380949322371379,"average":0.950606975399833},"purl":"pkg:hex/mint","advisories":[{"uuid":"EEF-CVE-2026-49753","url":"https://github.com/elixir-mint/mint/security/advisories/GHSA-mjqx-c6f6-7rc2","title":"HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing","description":"## Summary\n\nInconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections.\n\nMint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length \u003e= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted.\n\nA fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer's response stream.\n\nThis issue affects mint: from 0.1.0 before 1.9.0.","origin":"ERLEF","severity":"MEDIUM","published_at":"2026-06-02T14:15:17.078Z","withdrawn_at":null,"classification":null,"cvss_score":6.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/elixir-mint/mint/security/advisories/GHSA-mjqx-c6f6-7rc2","https://cna.erlef.org/cves/CVE-2026-49753.html","https://github.com/elixir-mint/mint/commit/47e48027480228e4e32a0b4df39db497b4804921","https://hex.pm/packages/mint"],"source_kind":"erlef","identifiers":["EEF-CVE-2026-49753","GHSA-mjqx-c6f6-7rc2","CVE-2026-49753"],"repository_url":"https://github.com/elixir-mint/mint","blast_radius":14.427218051583862,"created_at":"2026-06-02T15:19:46.497Z","updated_at":"2026-06-03T18:18:53.761Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/EEF-CVE-2026-49753","html_url":"https://advisories.ecosyste.ms/advisories/EEF-CVE-2026-49753","packages":[{"ecosystem":"hex","package_name":"mint","versions":[{"first_patched_version":"1.9.0","vulnerable_version_range":"\u003e= 0.1.0, \u003c 1.9.0"}],"purl":null,"statistics":{"dependent_packages_count":83,"dependent_repos_count":195,"downloads":59806656,"downloads_period":"total"},"affected_versions":["0.1.0","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.6.0","1.6.1","1.6.2","1.7.0","1.7.1","1.8.0"],"unaffected_versions":["1.9.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/EEF-CVE-2026-49753/related_packages","related_advisories":[]},{"uuid":"EEF-CVE-2026-49754","url":"https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8","title":"HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation","description":"## Summary\n\nAllocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood).\n\nWhen Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity).\n\nA malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.\n\nThis issue affects mint: from 0.1.0 before 1.9.0.\n\n## Workaround\n\nRestrict Mint to HTTP/1 on connections to untrusted servers by passing protocols: [:http1] to Mint.HTTP.connect/4. This avoids the vulnerable HTTP/2 receive path entirely, at the cost of losing HTTP/2 for those connections.","origin":"ERLEF","severity":"HIGH","published_at":"2026-06-02T14:15:14.951Z","withdrawn_at":null,"classification":null,"cvss_score":8.2,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8","https://cna.erlef.org/cves/CVE-2026-49754.html","https://github.com/elixir-mint/mint/commit/b662d127d3028b5426c88d4c9cc7fe430491a10b","https://hex.pm/packages/mint"],"source_kind":"erlef","identifiers":["EEF-CVE-2026-49754","GHSA-2p26-p43x-fhp8","CVE-2026-49754"],"repository_url":"https://github.com/elixir-mint/mint","blast_radius":18.778283813172646,"created_at":"2026-06-02T15:19:46.540Z","updated_at":"2026-06-03T18:18:53.798Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/EEF-CVE-2026-49754","html_url":"https://advisories.ecosyste.ms/advisories/EEF-CVE-2026-49754","packages":[{"ecosystem":"hex","package_name":"mint","versions":[{"first_patched_version":"1.9.0","vulnerable_version_range":"\u003e= 0.1.0, \u003c 1.9.0"}],"purl":null,"statistics":{"dependent_packages_count":83,"dependent_repos_count":195,"downloads":59806656,"downloads_period":"total"},"affected_versions":["0.1.0","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.6.0","1.6.1","1.6.2","1.7.0","1.7.1","1.8.0"],"unaffected_versions":["1.9.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/EEF-CVE-2026-49754/related_packages","related_advisories":[]},{"uuid":"EEF-CVE-2026-48862","url":"https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r","title":"Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency","description":"## Summary\n\nAllocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding.\n\nIn lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check.\n\nHTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory.\n\nThis issue affects mint: from 0.2.0 before 1.9.0.\n\n## Workaround\n\nDisable HTTP/2 server push on connections to untrusted servers by passing client_settings: [enable_push: false] to Mint.HTTP.connect/4. This makes Mint reject any inbound PUSH_PROMISE frame with a PROTOCOL_ERROR before the vulnerable code path is reached.","origin":"ERLEF","severity":"HIGH","published_at":"2026-06-02T14:15:10.591Z","withdrawn_at":null,"classification":null,"cvss_score":8.2,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r","https://cna.erlef.org/cves/CVE-2026-48862.html","https://github.com/elixir-mint/mint/commit/70b97b6a5209fb288b0e04d8e657dda26c59de67","https://hex.pm/packages/mint"],"source_kind":"erlef","identifiers":["EEF-CVE-2026-48862","GHSA-g586-ccqf-7x4r","CVE-2026-48862"],"repository_url":"https://github.com/elixir-mint/mint","blast_radius":18.778283813172646,"created_at":"2026-06-02T15:19:46.464Z","updated_at":"2026-06-03T18:18:53.722Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/EEF-CVE-2026-48862","html_url":"https://advisories.ecosyste.ms/advisories/EEF-CVE-2026-48862","packages":[{"ecosystem":"hex","package_name":"mint","versions":[{"first_patched_version":"1.9.0","vulnerable_version_range":"\u003e= 0.2.0, \u003c 1.9.0"}],"purl":null,"statistics":{"dependent_packages_count":83,"dependent_repos_count":195,"downloads":59806656,"downloads_period":"total"},"affected_versions":["0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.6.0","1.6.1","1.6.2","1.7.0","1.7.1","1.8.0"],"unaffected_versions":["0.1.0","1.9.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/EEF-CVE-2026-48862/related_packages","related_advisories":[]},{"uuid":"EEF-CVE-2026-48861","url":"https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v","title":"CRLF injection in HTTP/1 request line via unvalidated method in Mint","description":"## Summary\n\nImproper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling.\n\nIn lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\\s, target, \" HTTP/1.1\\r\\n\"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection.\n\nMint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions.\n\nThis issue affects mint: from 0.1.0 before 1.9.0.","origin":"ERLEF","severity":"LOW","published_at":"2026-06-02T14:15:09.015Z","withdrawn_at":null,"classification":null,"cvss_score":2.1,"cvss_vector":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N","references":["https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v","https://cna.erlef.org/cves/CVE-2026-48861.html","https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a","https://hex.pm/packages/mint"],"source_kind":"erlef","identifiers":["EEF-CVE-2026-48861","GHSA-2pg6-44cx-c49v","CVE-2026-48861"],"repository_url":"https://github.com/elixir-mint/mint","blast_radius":4.809072683861288,"created_at":"2026-06-02T15:19:46.387Z","updated_at":"2026-06-03T18:18:53.688Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/EEF-CVE-2026-48861","html_url":"https://advisories.ecosyste.ms/advisories/EEF-CVE-2026-48861","packages":[{"ecosystem":"hex","package_name":"mint","versions":[{"first_patched_version":"1.9.0","vulnerable_version_range":"\u003e= 0.1.0, \u003c 1.9.0"}],"purl":null,"statistics":{"dependent_packages_count":83,"dependent_repos_count":195,"downloads":59806656,"downloads_period":"total"},"affected_versions":["0.1.0","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.6.0","1.6.1","1.6.2","1.7.0","1.7.1","1.8.0"],"unaffected_versions":["1.9.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/EEF-CVE-2026-48861/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/hex/mint","docker_dependents_count":17,"docker_downloads_count":279390,"usage_url":"https://repos.ecosyste.ms/usage/hex/mint","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/hex/mint/dependencies","status":null,"funding_links":[],"critical":true,"issue_metadata":{"last_synced_at":"2024-11-11T01:35:55.097Z","issues_count":63,"pull_requests_count":94,"avg_time_to_close_issue":8737994.07017544,"avg_time_to_close_pull_request":1063607.402173913,"issues_closed_count":57,"pull_requests_closed_count":92,"pull_request_authors_count":36,"issue_authors_count":49,"avg_comments_per_issue":5.158730158730159,"avg_comments_per_pull_request":2.6808510638297873,"merged_pull_requests_count":82,"bot_issues_count":0,"bot_pull_requests_count":0,"past_year_issues_count":18,"past_year_pull_requests_count":25,"past_year_avg_time_to_close_issue":1140752.3333333333,"past_year_avg_time_to_close_pull_request":203052.13043478262,"past_year_issues_closed_count":12,"past_year_pull_requests_closed_count":23,"past_year_pull_request_authors_count":13,"past_year_issue_authors_count":15,"past_year_avg_comments_per_issue":4.833333333333333,"past_year_avg_comments_per_pull_request":4.48,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":0,"past_year_merged_pull_requests_count":21,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/elixir-mint%2Fmint/issues","maintainers":[{"login":"ericmj","count":6,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/ericmj"}],"active_maintainers":[{"login":"ericmj","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/ericmj"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/hex.pm/packages/mint/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/hex.pm/packages/mint/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/hex.pm/packages/mint/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/hex.pm/packages/mint/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/hex.pm/packages/mint/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/hex.pm/packages/mint/codemeta","maintainers":[{"uuid":"whatyouhide","login":"whatyouhide","name":null,"email":"hi@andrealeopardi.com","url":null,"packages_count":35,"html_url":"https://hex.pm/users/whatyouhide","role":null,"created_at":"2022-11-08T13:07:39.004Z","updated_at":"2022-11-08T13:07:39.004Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/hex.pm/maintainers/whatyouhide/packages"},{"uuid":"ericmj","login":"ericmj","name":null,"email":"eric.meadows.jonsson@gmail.com","url":null,"packages_count":20,"html_url":"https://hex.pm/users/ericmj","role":null,"created_at":"2022-11-08T13:07:38.986Z","updated_at":"2022-11-08T13:07:38.986Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/hex.pm/maintainers/ericmj/packages"}]}