GHSA-F9VR-G2G2-X9FG

Vulnerability from github – Published: 2026-06-26 21:59 – Updated: 2026-06-26 21:59
VLAI
Summary
Hackney has CRLF / header injection in WebSocket upgrade request
Details

Summary

CRLF injection in hackney's WebSocket upgrade request builder (src/hackney_ws.erl). init/1 copies the host, path, headers, and protocols options from the caller-supplied opts map verbatim into #ws_data{}, and do_handshake/1 splices them directly into the raw HTTP/1.1 upgrade request by binary concatenation with no \r\n or \0 stripping. A caller that passes any of these fields from untrusted input can inject arbitrary header lines into the outbound upgrade request.

Details

do_handshake/1 builds the upgrade request at several concatenation sites:

  • Host header (lines 583–590): the host binary is written straight into Host: <host>:<port>\r\n.
  • Sec-WebSocket-Protocol (lines 601–602): protocol tokens are joined with , and appended as a header line.
  • Extra headers (line 606): caller-supplied {Name, Value} tuples are concatenated as Name: Value\r\n with no sanitization of either component.
  • Request path (line 611): the path is interpolated into the GET <path> HTTP/1.1\r\n request line.

None of these sites reject \r, \n, or \0. A header value like <<"benign\r\nAuthorization: Bearer token">> produces two distinct header lines on the wire. A path with an embedded \r\n rewrites the request line itself.

PoC

  1. Call :hackney_ws.start_link/1 with headers: [{"X-User", "v\r\nAuthorization: Bearer attacker"}].
  2. Connect to a raw TCP listener and capture the bytes hackney writes.
  3. The request contains a standalone Authorization: Bearer attacker line that the upstream WebSocket server parses as a legitimate header.

Impact

Header injection / request smuggling in outbound WebSocket upgrades. Affects hackney 2.0.0 through 4.0.0 wherever host, path, headers, or protocols options are populated from network or user input. Consequences include forging authentication headers toward the upstream server, log and cache poisoning, and request smuggling through intermediary proxies. CVSS v4.0: 6.9 (MEDIUM).

Resources

  • Introduction commit: https://github.com/benoitc/hackney/commit/690cecaf236fba49526da404a5bc889a24367a3e
  • Patch commit: https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "hackney"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47072"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T21:59:44Z",
    "nvd_published_at": "2026-05-25T15:16:22Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nCRLF injection in hackney\u0027s WebSocket upgrade request builder (`src/hackney_ws.erl`). `init/1` copies the `host`, `path`, `headers`, and `protocols` options from the caller-supplied opts map verbatim into `#ws_data{}`, and `do_handshake/1` splices them directly into the raw HTTP/1.1 upgrade request by binary concatenation with no `\\r\\n` or `\\0` stripping. A caller that passes any of these fields from untrusted input can inject arbitrary header lines into the outbound upgrade request.\n\n### Details\n\n`do_handshake/1` builds the upgrade request at several concatenation sites:\n\n- **Host header** (lines 583\u2013590): the host binary is written straight into `Host: \u003chost\u003e:\u003cport\u003e\\r\\n`.\n- **Sec-WebSocket-Protocol** (lines 601\u2013602): protocol tokens are joined with `, ` and appended as a header line.\n- **Extra headers** (line 606): caller-supplied `{Name, Value}` tuples are concatenated as `Name: Value\\r\\n` with no sanitization of either component.\n- **Request path** (line 611): the path is interpolated into the `GET \u003cpath\u003e HTTP/1.1\\r\\n` request line.\n\nNone of these sites reject `\\r`, `\\n`, or `\\0`. A header value like `\u003c\u003c\"benign\\r\\nAuthorization: Bearer token\"\u003e\u003e` produces two distinct header lines on the wire. A path with an embedded `\\r\\n` rewrites the request line itself.\n\n### PoC\n\n1. Call `:hackney_ws.start_link/1` with `headers: [{\"X-User\", \"v\\r\\nAuthorization: Bearer attacker\"}]`.\n2. Connect to a raw TCP listener and capture the bytes hackney writes.\n3. The request contains a standalone `Authorization: Bearer attacker` line that the upstream WebSocket server parses as a legitimate header.\n\n### Impact\n\nHeader injection / request smuggling in outbound WebSocket upgrades. Affects hackney 2.0.0 through 4.0.0 wherever `host`, `path`, `headers`, or `protocols` options are populated from network or user input. Consequences include forging authentication headers toward the upstream server, log and cache poisoning, and request smuggling through intermediary proxies. CVSS v4.0: **6.9 (MEDIUM)**.\n\n## Resources\n\n* Introduction commit: https://github.com/benoitc/hackney/commit/690cecaf236fba49526da404a5bc889a24367a3e\n* Patch commit: https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1",
  "id": "GHSA-f9vr-g2g2-x9fg",
  "modified": "2026-06-26T21:59:44Z",
  "published": "2026-06-26T21:59:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47072"
    },
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-47072.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/benoitc/hackney"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-47072"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Hackney has CRLF / header injection in WebSocket upgrade request"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…