Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.

This issue affects hackney: from 2.0.0 before 4.0.1.
Published: 2026-05-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from the WebSocket upgrade logic in the hackney library, where the host, path, headers, and protocols options supplied via the opts map are concatenated directly into the raw HTTP/1.1 upgrade request without any sanitization. This design flaw enables an attacker who can inject CRLF or NUL bytes into any of these fields to perform CRLF injection, allowing arbitrary HTTP header injection. Such header injection can be used for credential spoofing against upstream servers, log or cache poisoning, or request smuggling through intermediary proxies. The weakness is classified as CWE‑93 (Improper Neutralization of CRLF Sequences).

Affected Systems

The affected product is the Erlang/OTP HTTP client library hackney, in all releases from version 2.0.0 up to, but not including, 4.0.1. The fix is available in version 4.0.1 and later. No further sub‑product distinctions are indicated.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can influence the opts map passed to hackney_ws:start_link/1, which typically means control over part of the WebSocket client request. No public exploits have been documented yet, but the possibility of header injection, credential spoofing, and request smuggling presents a credible threat in environments where untrusted input may reach the library.

Generated by OpenCVE AI on May 25, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade hackney to version 4.0.1 or later, which eliminates the unsanitized concatenation.
  • If an upgrade is not feasible, sanitize all values supplied for host, path, headers, or protocols by stripping CRLF or NUL characters before passing them to hackney_ws:start_link/1.
  • Refactor any code that injects user-supplied data into the opts map for WebSocket connections to use trusted or hardcoded values instead.

Generated by OpenCVE AI on May 25, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies. This issue affects hackney: from 2.0.0 before 4.0.1.
Title CRLF injection in WebSocket upgrade request in hackney
First Time appeared Benoitc
Benoitc hackney
Weaknesses CWE-93
CPEs cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Vendors & Products Benoitc
Benoitc hackney
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Benoitc Hackney
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:41:24.863Z

Reserved: 2026-05-18T17:28:08.322Z

Link: CVE-2026-47072

cve-icon Vulnrichment

Updated: 2026-05-26T15:46:05.647Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T15:16:22.280

Modified: 2026-05-28T20:27:13.240

Link: CVE-2026-47072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T13:00:50Z

Weaknesses
  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')