CVE-2026-48595 - High Severity Vulnerability
Vulnerable Library - tesla-1.16.0.tar
HTTP client library, with support for middleware and multiple adapters.
Library home page: https://repo.hex.pm/tarballs/tesla-1.16.0.tar
Path to dependency file: /OPENAPI-REST-API/openapi-client/elixir/mix.exs
Path to vulnerable library: /home/wss-scanner/.hex/packages/hexpm/tesla-1.14.tar
Dependency Hierarchy:
- ❌ tesla-1.16.0.tar (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.
Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.
This issue affects tesla: from 1.4.0 before 1.18.3.
Publish Date: 2026-06-02
URL: CVE-2026-48595
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9m9w-gxf7-rh8m
Release Date: 2026-06-02
Fix Resolution: tesla - 1.18.3,https://github.com/elixir-tesla/tesla.git - v1.18.3
Step up your Open Source Security Game with Mend here
CVE-2026-48595 - High Severity Vulnerability
HTTP client library, with support for middleware and multiple adapters.
Library home page: https://repo.hex.pm/tarballs/tesla-1.16.0.tar
Path to dependency file: /OPENAPI-REST-API/openapi-client/elixir/mix.exs
Path to vulnerable library: /home/wss-scanner/.hex/packages/hexpm/tesla-1.14.tar
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.
Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.
This issue affects tesla: from 1.4.0 before 1.18.3.
Publish Date: 2026-06-02
URL: CVE-2026-48595
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-9m9w-gxf7-rh8m
Release Date: 2026-06-02
Fix Resolution: tesla - 1.18.3,https://github.com/elixir-tesla/tesla.git - v1.18.3
Step up your Open Source Security Game with Mend here