Description
Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request.

This issue affects hackney: from 0 before 4.0.1.
Published: 2026-05-25
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because hackney does not percent‑encode carriage return and line feed characters that appear in the query component of a URL. When a query string containing raw CRLF characters is passed to hackney, those characters are transmitted as actual line breaks in the HTTP/1.1 request target. This enables HTTP Request Splitting, allowing an attacker to inject arbitrary HTTP headers, alter the request body, or split a single request into multiple requests directed to downstream services. The effect is a loss of control over the outbound request and gives attackers the opportunity to inject arbitrary headers that could influence downstream services. The extent to which this could lead to privilege‑escalation or data exfiltration is not explicitly detailed in the description, so those outcomes are inferred rather than directly stated.

Affected Systems

Vendor benoitc, Product hackney. All releases from version 0 up to, but not including, 4.0.1 are affected. The flaw exists in any version where the URL query string is concatenated into the request without percent‑encoding.

Risk and Exploitability

The CVSS score of 6.8 indicates medium severity. An attacker who can supply a controlled URL to the library can exploit the issue, as the flaw requires only the ability to inject CR and LF characters into the query string. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. However, the possibility of inserting arbitrary headers poses a significant threat to applications that rely on hackney for communicating with trusted services, thus the risk should be treated as non‑negligible.

Generated by OpenCVE AI on May 25, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade hackney to version 4.0.1 or later.
  • Ensure that any URL passed to hackney is sanitized so that carriage return and line feed characters are percent‑encoded before use.
  • Avoid passing user‑controlled URLs directly to hackney; validate or sanitize query components in application code.
  • Monitor application logs for unexpected HTTP header patterns that may indicate request‑splitting attempts.

Generated by OpenCVE AI on May 25, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request. This issue affects hackney: from 0 before 4.0.1.
Title CR/LF injection in query parameter in hackney
First Time appeared Benoitc
Benoitc hackney
Weaknesses CWE-93
CPEs cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Vendors & Products Benoitc
Benoitc hackney
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Benoitc Hackney
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:41:12.825Z

Reserved: 2026-05-18T17:28:08.322Z

Link: CVE-2026-47075

cve-icon Vulnrichment

Updated: 2026-05-26T15:49:56.933Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T15:16:22.550

Modified: 2026-05-28T20:26:32.360

Link: CVE-2026-47075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T13:00:53Z

Weaknesses
  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')