Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option - for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path - can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response.
This issue affects hackney: from 0.9.0 before 4.0.1.
AnalysisAI
CRLF injection in the hackney Erlang HTTP client library's hackney_cookie:setcookie/3 function enables HTTP response splitting against applications using versions 0.9.0 through before 4.0.1. While the function correctly validates the Name and Value cookie arguments against CRLF and control characters, it concatenates the domain and path options verbatim into the output iolist with no equivalent check, creating an injection point. An attacker who can influence the domain or path values passed to that function - for example, by submitting a crafted Host header or URL path that an application forwards directly into the cookie-setting call - can inject arbitrary additional Set-Cookie headers into the HTTP response. No public exploit identified at time of analysis per KEV absence, though SSVC confirms a proof-of-concept exists.
Technical ContextAI
hackney (CPE: cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*) is a widely used Erlang HTTP client library. The vulnerability resides in src/hackney_cookie.erl within the setcookie/3 function. The root cause is CWE-93: Improper Neutralization of CRLF Sequences - an inconsistent input validation design where Name and Value undergo CRLF/control-character checks but the domain and path options are passed through binary list concatenation (iolist) with no sanitization. The characters at risk are CR (\r), LF (\n), VT (\013), FF (\014), null (\0), semicolons, and spaces - all of which can be used to prematurely terminate a Set-Cookie header line and inject a subsequent one. The commit diff confirms the fix adds binary:match guards for exactly these byte classes in both the domain and path code paths.
RemediationAI
Upgrade hackney to version 4.0.1 or later, which is the vendor-released patch version confirmed by the CVE description and the upstream commit at https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540. The patch adds binary:match validation rejecting CR, LF, VT (\013), FF (\014), null, semicolon, space, and tab from both the domain and path options before they are appended to the cookie iolist. If an immediate upgrade is not feasible, the specific compensating control is to strip or reject CRLF and control characters from any user-controlled input (Host headers, URL paths, query parameters) before passing it as the domain or path argument to hackney_cookie:setcookie/3 - this can be implemented at the application layer with a binary:match guard using the same byte set as the patch. Note that this workaround requires identifying every call site in the application that constructs these options from external input, and missing a single call site leaves the injection path open. Consult the full advisory at https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2.
Denial of service in benoitc hackney (Erlang HTTP client) versions 2.0.0 through 4.0.0 allows a malicious WebSocket serv
Denial of service in benoitc hackney (Erlang HTTP client) 2.0.0 through 4.0.0 allows remote unauthenticated attackers to
Denial-of-service in benoitc's hackney Erlang HTTP client (versions 2.0.0-beta.1 through 4.0.0) allows any HTTP origin s
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_
Denial of service in benoitc hackney (Erlang HTTP client) versions 0.10.0 through 4.0.0 lets a hostile SOCKS5 or HTTP CO
CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket up
SSRF allowlist bypass in hackney (Erlang HTTP client) versions 0.13.0 through before 4.0.1 allows attackers who control
HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who cont
Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31683
GHSA-mp55-p8c9-rfw2