CVE-2026-47072

Exploit

EPSS 0.51%
Veröffentlicht 25.05.2026 14:00:47
Zuletzt bearbeitet 28.05.2026 20:27:13
Quelle 6b3ad84c-e1a6-4bf7-a703-f496b7
CVE-Watchlists
Login
Unerledigt
Login

CRLF injection in WebSocket upgrade request in hackney

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.

This issue affects hackney: from 2.0.0 before 4.0.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Benoitc ≫ Hackney Version >= 2.0.0 < 4.0.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.51%	0.392

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg

Patch

Vendor Advisory

Exploit

https://cna.erlef.org/cves/CVE-2026-47072.html

Patch

Third Party Advisory

https://osv.dev/vulnerability/EEF-CVE-2026-47072

Patch

Third Party Advisory

https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-47072

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-47072

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-47072

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-47072