The vulnerability is an improper neutralization of CRLF characters within the domain and path options passed to the hackney_cookie:setcookie/3 function in Erlang’s Hackney library. The function correctly validates the cookie name and value, but it does not sanitize the domain and path parameters. An attacker who can influence either of these options—such as by supplying a Host header that is forwarded as the cookie domain or a request path forwarded as the cookie path—can inject a literal CRLF sequence. This injection allows the attacker to append arbitrary additional Set-Cookie headers to the HTTP response, leading to HTTP Response Splitting. The impact is limited to the injection of extra response headers and potential manipulation of downstream cookie processing, but it does not provide remote code execution or privilege escalation.

Applications that depend on the Hackney HTTP client library, specifically versions from 0.9.0 up to, but not including, 4.0.1, are affected. Any Erlang or Elixir project that employs hackney to send HTTP requests and sets cookies using the stated function is at risk.

The CVSS score of 2.1 reflects a low severity assessment. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no current widespread exploitation. However, the attack vector is remote and relies on the ability to supply a controlled host header or request path that propagates into the cookie domain or path. If an attacker can achieve this control—for example, by influencing client requests or using proxy settings—they can inject CRLF sequences and alter server responses. The likelihood of successful exploitation depends on the presence of a path that is forwarded unfiltered to hackney, which is a relatively common scenario in web applications that forward client headers for subdomain cookie setting.