fad091454cbb7449b19edb8e1fee12ca7cf28c3a
88%

Ran 02 Jun 2026 01:29PM UTC

Jobs 1

Files 20

Run time 1min

Badge

Embed ▾

Committed 02 Jun 2026 01:29PM UTC coverage: 88.088% (-0.03%) from 88.114%

Build # fad091454cbb7449b19edb8e1fee12ca7cf28c3a

Build Type

push

github

Committed by

web-flow

Commit Message

Merge commit from fork

The HTTP/1 request encoder spliced the caller-supplied method into the
request line verbatim. An application forwarding attacker-controlled
input as the HTTP method was exposed to CRLF injection: a method
containing "\r\n" could terminate the request line early, inject
arbitrary headers, and pipeline a second attacker-chosen request onto
the same connection.

The request target has been validated since 1.7.0, but the method had
no equivalent check. Validate it as an RFC 9110 token (1*tchar), the
same production used for header names, rejecting CRLF, spaces, and other
control characters.

Fixes GHSA-2pg6-44cx-c49v.

Coverage Stats

4 of 5 new or added lines in 2 files covered. (80.0%)

1368 of 1553 relevant lines covered (88.09%)

252.75 hits per line

Uncovered Changes

Lines	Coverage	∆	File
1	84.62	-0.27%	lib/mint/http1.ex

Jobs

ID	Job ID	Ran	Files	Coverage
1	fad091454cbb7449b19edb8e1fee12ca7cf28c3a.1	02 Jun 2026 01:29PM UTC	20	88.09	GitHub Action Run

elixir-mint / mint / fad091454cbb7449b19edb8e1fee12ca7cf28c3a
88%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Jobs

Source Files on build fad091454cbb7449b19edb8e1fee12ca7cf28c3a

elixir-mint / mint / fad091454cbb7449b19edb8e1fee12ca7cf28c3a 88%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Jobs

Source Files on build fad091454cbb7449b19edb8e1fee12ca7cf28c3a

elixir-mint / mint / fad091454cbb7449b19edb8e1fee12ca7cf28c3a
88%

README BADGES
x