MEDIUM🇬🇧 English

CVE-2026-47072

CVSS 6.9v4.0pub. 2026-05-25upd. 2026-05-28

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies. This issue affects hackney: from 2.0.0 before 4.0.1.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Benoitc Hackney

    APP
    Benoitc
    2.0.0 – 4.0.1 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-47077HIGH8.2ten sam produkt

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney...

CVE-2026-47067HIGH8.7ten sam produkt

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL...

CVE-2026-47071HIGH8.2ten sam produkt

Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in sr...

CVE-2026-47073HIGH8.7ten sam produkt

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The Web...

CVE-2026-47066HIGH8.7ten sam produkt

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Alloc...