Skip to main content

hackney CVE-2026-47072

| EUVDEUVD-2026-31690 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-05-25 EEF GHSA-f9vr-g2g2-x9fg
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 11:28 vuln.today
Analysis Generated
Jun 08, 2026 - 11:28 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.9 (MEDIUM)
CVE Published
May 25, 2026 - 14:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options - for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 - can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.

This issue affects hackney: from 2.0.0 before 4.0.1.

AnalysisAI

CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket upgrade requests when caller-supplied options - host, path, ExtraHeaders, or protocols - contain unsanitized user input. The vulnerable code in src/hackney_ws.erl splices these values verbatim via binary concatenation into a raw HTTP/1.1 upgrade request with no CR, LF, or NUL filtering at any of the four injection sites. No active exploitation is confirmed (not in CISA KEV), though SSVC assesses exploitation status as 'poc' and the fix commit includes a functional test that doubles as a proof-of-concept; EPSS remains very low at 0.05% (15th percentile), consistent with an indirect, application-mediated attack path rather than mass exploitation.

Technical ContextAI

hackney (cpe:2.3:a:benoitc:hackney) is a widely used Erlang HTTP client library. The WebSocket subsystem (src/hackney_ws.erl) constructs HTTP/1.1 upgrade handshake frames by directly concatenating binary values from the caller-supplied opts map - specifically the host, path, ExtraHeaders, and protocols fields - into the wire format using Erlang iolist binary construction. CWE-93 (Improper Neutralization of CRLF Sequences) identifies the root cause: HTTP header framing relies on CRLF delimiters, so any user-controlled binary containing \r\n or \0 can terminate one header field and inject additional header lines or even a second request body into the outbound upgrade request. The patch at commit 52310ca introduces valid_handshake_fields/2, which calls has_ctl_bytes/1 to reject any path or header field containing \r, \n, or NUL before the request is written to the socket - turning the injection attempt into a hard {error, invalid_handshake_header} rather than silently splicing the attacker content.

RemediationAI

Upstream fix available (patch commit 52310ca807e7b48441ba0e9129171f535313fdd1); released patched version 4.0.1 confirmed by vendor advisory description and NVD version range - upgrade hackney to 4.0.1 or later to apply the fix, which introduces strict validation rejecting CR, LF, and NUL bytes in all WebSocket upgrade fields before any bytes are sent to the socket. The advisory is at https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg. If an immediate upgrade is not feasible, the compensating control is to sanitize all values supplied to hackney_ws:start_link/1 in application code before passing them - strip or reject \r (0x0D), \n (0x0A), and NUL (0x00) from host, path, extra header names, header values, and sub-protocol strings derived from untrusted input; note this control relies on discipline in every call site and may be incomplete if new call sites are added later. A second compensating control is to avoid forwarding any URL components or HTTP headers from untrusted external requests directly into hackney WebSocket upgrade options without a normalization layer.

Share

CVE-2026-47072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy