CVE-2026-47072

May 26, 2026, 7:58 p.m.

6.9
Medium

Description

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies. This issue affects hackney: from 2.0.0 before 4.0.1.

Product(s) Impacted

Vendor Product Versions
Benoitc
  • Hackney
  • [2.0.0-4.0.0]

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a benoitc hackney [2.0.0-4.0.0] / / / / / / /

References

https://cna.erlef.org/cves/CVE-2026-47072.html
https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1
https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg
https://osv.dev/vulnerability/EEF-CVE-2026-47072
https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg

Tags

CWE-93
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
2026-05-25
CVE-2026-47072

CVSS Score

6.9 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: May 25, 2026, 3:16 p.m.
Last Modified: May 26, 2026, 7:58 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

6b3ad84c-e1a6-4bf7-a703-f496b71e49db

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.