Description
Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost.

This issue affects hackney: from 0.13.0 before 4.0.1.
Published: 2026-05-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in hackney’s URL normalization routine, which decodes a percent‑encoded host component after the URL has been parsed. A crafted URL such as http://%31%32%37%2E%30%2E%30%2E%31/ passes an allowlist check that is based on the un‑decoded host string. Hackney then normalizes the host to 127.0.0.1 and opens a TCP connection, providing the attacker with the ability to reach internal services, cloud metadata endpoints, RFC1918 networks, or any other host listening on localhost. This flaw enables an attacker who can influence a Hackney request to exfiltrate data or trigger further actions on internal resources, thereby compromising confidentiality and integrity.

Affected Systems

The affected product is the Hackney HTTP client library, distributed by Benoit C. Versions from 0.13.0 through 4.0.0 are vulnerable. The library is widely used in Erlang and BEAM‑based applications.

Risk and Exploitability

The CVSS score of 6.9 classifies the weakness as medium severity. No EPSS value is available, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires an application to pass a specifically crafted URL to hackney:request/5; the percent‑encoded host bypasses the allowlist and activates the vulnerability. Because the flaw is exercised on every URL passed to hackney, any vulnerable application that uses the library for outbound HTTP requests is potentially exposed. Given the medium CVSS score and lack of widespread exploitation data, the risk is moderate but should be addressed promptly.

Generated by OpenCVE AI on May 25, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to hackney version 4.0.1 or later.
  • Block outbound connections to localhost, 169.254.169.254, and RFC1918 address ranges on the host network.
  • Validate or sanitize URLs before passing them to Hackney, ensuring that host components are not percent‑encoded or otherwise obfuscated.

Generated by OpenCVE AI on May 25, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost. This issue affects hackney: from 0.13.0 before 4.0.1.
Title SSRF allowlist bypass via percent-encoded host in hackney
First Time appeared Benoitc
Benoitc hackney
Weaknesses CWE-436
CWE-918
CPEs cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Vendors & Products Benoitc
Benoitc hackney
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Benoitc Hackney
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:41:17.845Z

Reserved: 2026-05-18T17:28:10.319Z

Link: CVE-2026-47076

cve-icon Vulnrichment

Updated: 2026-05-26T15:46:45.024Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T15:16:22.690

Modified: 2026-05-27T13:51:53.650

Link: CVE-2026-47076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T13:00:51Z

Weaknesses
  • CWE-436

    Interpretation Conflict

  • CWE-918

    Server-Side Request Forgery (SSRF)