Skip to main content

hackney EUVDEUVD-2026-31687

| CVE-2026-47075 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-05-25 EEF GHSA-j9wq-vxxc-94wf
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 12:36 vuln.today
Analysis Generated
Jun 08, 2026 - 12:36 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.8 (MEDIUM)
CVE Published
May 25, 2026 - 14:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request.

This issue affects hackney: from 0 before 4.0.1.

AnalysisAI

HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who controls URL input to inject arbitrary HTTP headers or split HTTP/1.1 requests by embedding raw carriage return (\r) or line feed (\n) characters in the query string. The root cause is that hackney_url:make_url/3 passes the query binary directly into the HTTP/1.1 request target without percent-encoding RFC 3986-prohibited characters, violating the grammar defined in RFC 3986 §3.4. All hackney versions from 0 through 4.0.0 are affected; a proof-of-concept exists per SSVC assessment, though no active exploitation is confirmed and the EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability at time of analysis.

Technical ContextAI

hackney (CPE: cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*) is a widely used HTTP/1.1 client library for Erlang and Elixir applications. The vulnerability is classified as CWE-93 (Improper Neutralization of CRLF Sequences) and is rooted in hackney_url:make_url/3, which constructs the request target for HTTP/1.1 requests by concatenating the path and query string without sanitizing or percent-encoding the query component. RFC 3986 §3.4 mandates that characters outside the query grammar - including CR (\r, 0x0D), LF (\n, 0x0A), and NUL (0x00) - must be percent-encoded before being placed in a URI. Because hackney_conn.erl previously wrote the path/query directly as the HTTP request line, a caller-supplied URL containing raw CRLF bytes caused those bytes to be interpreted as HTTP line terminators by intermediate proxies, servers, or security controls. The patch (commit ca73dd0aba0ed557449c18288bf07241671a43c9) adds a valid_request_target/1 guard in hackney_conn.erl that rejects any request target containing \r, \n, or NUL before the request is dispatched to the socket, returning {error, {invalid_request_target, Path}} instead of emitting a malformed request.

RemediationAI

The primary fix is to upgrade hackney to version 4.0.1 or later, which introduces request target validation in hackney_conn.erl to reject paths containing raw CR, LF, or NUL bytes before they are written to the socket. The patch is confirmed at commit ca73dd0aba0ed557449c18288bf07241671a43c9 (https://github.com/benoitc/hackney/commit/ca73dd0aba0ed557449c18288bf07241671a43c9). Refer to the GitHub Security Advisory GHSA-j9wq-vxxc-94wf for full details. If immediate upgrade is not possible, the compensating control is to sanitize or percent-encode all query string values before passing URLs to hackney at the application layer - specifically, replace any occurrence of \r, \n, or NUL in user-controlled query parameters with their percent-encoded equivalents (%0D, %0A, %00) before constructing URLs. This mitigation adds application-layer encoding overhead and must be applied consistently at every call site that passes user-influenced URLs to hackney; any missed call site remains exploitable. There is no known configuration flag within hackney itself to disable the vulnerable behavior prior to 4.0.1.

Share

EUVD-2026-31687 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy