Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request.
This issue affects hackney: from 0 before 4.0.1.
AnalysisAI
HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who controls URL input to inject arbitrary HTTP headers or split HTTP/1.1 requests by embedding raw carriage return (\r) or line feed (\n) characters in the query string. The root cause is that hackney_url:make_url/3 passes the query binary directly into the HTTP/1.1 request target without percent-encoding RFC 3986-prohibited characters, violating the grammar defined in RFC 3986 §3.4. All hackney versions from 0 through 4.0.0 are affected; a proof-of-concept exists per SSVC assessment, though no active exploitation is confirmed and the EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability at time of analysis.
Technical ContextAI
hackney (CPE: cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*) is a widely used HTTP/1.1 client library for Erlang and Elixir applications. The vulnerability is classified as CWE-93 (Improper Neutralization of CRLF Sequences) and is rooted in hackney_url:make_url/3, which constructs the request target for HTTP/1.1 requests by concatenating the path and query string without sanitizing or percent-encoding the query component. RFC 3986 §3.4 mandates that characters outside the query grammar - including CR (\r, 0x0D), LF (\n, 0x0A), and NUL (0x00) - must be percent-encoded before being placed in a URI. Because hackney_conn.erl previously wrote the path/query directly as the HTTP request line, a caller-supplied URL containing raw CRLF bytes caused those bytes to be interpreted as HTTP line terminators by intermediate proxies, servers, or security controls. The patch (commit ca73dd0aba0ed557449c18288bf07241671a43c9) adds a valid_request_target/1 guard in hackney_conn.erl that rejects any request target containing \r, \n, or NUL before the request is dispatched to the socket, returning {error, {invalid_request_target, Path}} instead of emitting a malformed request.
RemediationAI
The primary fix is to upgrade hackney to version 4.0.1 or later, which introduces request target validation in hackney_conn.erl to reject paths containing raw CR, LF, or NUL bytes before they are written to the socket. The patch is confirmed at commit ca73dd0aba0ed557449c18288bf07241671a43c9 (https://github.com/benoitc/hackney/commit/ca73dd0aba0ed557449c18288bf07241671a43c9). Refer to the GitHub Security Advisory GHSA-j9wq-vxxc-94wf for full details. If immediate upgrade is not possible, the compensating control is to sanitize or percent-encode all query string values before passing URLs to hackney at the application layer - specifically, replace any occurrence of \r, \n, or NUL in user-controlled query parameters with their percent-encoded equivalents (%0D, %0A, %00) before constructing URLs. This mitigation adds application-layer encoding overhead and must be applied consistently at every call site that passes user-influenced URLs to hackney; any missed call site remains exploitable. There is no known configuration flag within hackney itself to disable the vulnerable behavior prior to 4.0.1.
Denial of service in benoitc hackney (Erlang HTTP client) versions 2.0.0 through 4.0.0 allows a malicious WebSocket serv
Denial of service in benoitc hackney (Erlang HTTP client) 2.0.0 through 4.0.0 allows remote unauthenticated attackers to
Denial-of-service in benoitc's hackney Erlang HTTP client (versions 2.0.0-beta.1 through 4.0.0) allows any HTTP origin s
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_
Denial of service in benoitc hackney (Erlang HTTP client) versions 0.10.0 through 4.0.0 lets a hostile SOCKS5 or HTTP CO
CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket up
SSRF allowlist bypass in hackney (Erlang HTTP client) versions 0.13.0 through before 4.0.1 allows attackers who control
Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or
CRLF injection in the hackney Erlang HTTP client library's hackney_cookie:setcookie/3 function enables HTTP response spl
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31687
GHSA-j9wq-vxxc-94wf