Elixir Mint HTTP Response Smuggling Vulnerability via Lenient Content-Length Parsing

A vulnerability allowing HTTP response smuggling has been identified in the Elixir Mint library, specifically in versions 0.1.0 prior to 1.9.0. This issue arises from the HTTP/1 Content-Length parser, which incorrectly accepts header values with a '+' sign, contrary to RFC 7230 specifications. When Mint shares a connection with a strict fronting proxy, this discrepancy can be exploited to desynchronize response framing, allowing bytes from one response to leak into another. This vulnerability is particularly concerning when the same Mint connection is used across different trust boundaries.

Impact

Exploitation of this vulnerability creates a response-smuggling primitive, desynchronizing request-response handling in Mint's HTTP/1 client. This issue can lead to cross-request data leaks, especially in environments where Mint connections are shared across trust boundaries.

Reproduction

To reproduce this vulnerability, send a request to a server that returns a response with a Content-Length header value of '+0' or similar, using a Mint HTTP/1 client. The response will be processed as if the Content-Length were '0', leaving any 'smuggled' bytes in the socket buffer to be incorrectly attributed to the next response.

Remediation

Users can upgrade to Mint version 1.9.0 or later, where this vulnerability has been fixed.