Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options - for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 - can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.
This issue affects hackney: from 2.0.0 before 4.0.1.
AnalysisAI
CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket upgrade requests when caller-supplied options - host, path, ExtraHeaders, or protocols - contain unsanitized user input. The vulnerable code in src/hackney_ws.erl splices these values verbatim via binary concatenation into a raw HTTP/1.1 upgrade request with no CR, LF, or NUL filtering at any of the four injection sites. No active exploitation is confirmed (not in CISA KEV), though SSVC assesses exploitation status as 'poc' and the fix commit includes a functional test that doubles as a proof-of-concept; EPSS remains very low at 0.05% (15th percentile), consistent with an indirect, application-mediated attack path rather than mass exploitation.
Technical ContextAI
hackney (cpe:2.3:a:benoitc:hackney) is a widely used Erlang HTTP client library. The WebSocket subsystem (src/hackney_ws.erl) constructs HTTP/1.1 upgrade handshake frames by directly concatenating binary values from the caller-supplied opts map - specifically the host, path, ExtraHeaders, and protocols fields - into the wire format using Erlang iolist binary construction. CWE-93 (Improper Neutralization of CRLF Sequences) identifies the root cause: HTTP header framing relies on CRLF delimiters, so any user-controlled binary containing \r\n or \0 can terminate one header field and inject additional header lines or even a second request body into the outbound upgrade request. The patch at commit 52310ca introduces valid_handshake_fields/2, which calls has_ctl_bytes/1 to reject any path or header field containing \r, \n, or NUL before the request is written to the socket - turning the injection attempt into a hard {error, invalid_handshake_header} rather than silently splicing the attacker content.
RemediationAI
Upstream fix available (patch commit 52310ca807e7b48441ba0e9129171f535313fdd1); released patched version 4.0.1 confirmed by vendor advisory description and NVD version range - upgrade hackney to 4.0.1 or later to apply the fix, which introduces strict validation rejecting CR, LF, and NUL bytes in all WebSocket upgrade fields before any bytes are sent to the socket. The advisory is at https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg. If an immediate upgrade is not feasible, the compensating control is to sanitize all values supplied to hackney_ws:start_link/1 in application code before passing them - strip or reject \r (0x0D), \n (0x0A), and NUL (0x00) from host, path, extra header names, header values, and sub-protocol strings derived from untrusted input; note this control relies on discipline in every call site and may be incomplete if new call sites are added later. A second compensating control is to avoid forwarding any URL components or HTTP headers from untrusted external requests directly into hackney WebSocket upgrade options without a normalization layer.
Denial of service in benoitc hackney (Erlang HTTP client) versions 2.0.0 through 4.0.0 allows a malicious WebSocket serv
Denial of service in benoitc hackney (Erlang HTTP client) 2.0.0 through 4.0.0 allows remote unauthenticated attackers to
Denial-of-service in benoitc's hackney Erlang HTTP client (versions 2.0.0-beta.1 through 4.0.0) allows any HTTP origin s
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_
Denial of service in benoitc hackney (Erlang HTTP client) versions 0.10.0 through 4.0.0 lets a hostile SOCKS5 or HTTP CO
SSRF allowlist bypass in hackney (Erlang HTTP client) versions 0.13.0 through before 4.0.1 allows attackers who control
HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who cont
Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or
CRLF injection in the hackney Erlang HTTP client library's hackney_cookie:setcookie/3 function enables HTTP response spl
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31690
GHSA-f9vr-g2g2-x9fg