GHSA-H73Q-4W9Q-82H4

Vulnerability from github – Published: 2026-06-26 21:56 – Updated: 2026-06-26 21:56
VLAI
Summary
Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body
Details

Summary

The HTTP/3 redirect handler in src/hackney_h3.erl forwards the original request headers (Authorization, Cookie, Proxy-Authorization) and, for 307/308 responses, the original request body to the redirect target without checking whether the target host matches the origin. When follow_redirect is enabled and a server responds with a cross-origin Location, hackney delivers the caller's credentials verbatim to the attacker-controlled host. The main hackney HTTP/1 client has maybe_strip_auth_on_redirect/2 (the fix for CVE-2018-1000007); the H3 client was added later without it.

Details

In src/hackney_h3.erl, handle_redirect/11 (line 165) extracts the redirect target from the server-controlled Location header via get_redirect_location/1 and resolves it with resolve_redirect_url/2, which accepts any absolute http:// or https:// URL. It then calls do_request_with_redirect/8 passing the original Headers list unchanged. For 307/308 responses, redirect_method/2 preserves the original method and body, so the POST body is also forwarded.

No comparison is made between the original URL's scheme, host, or port and the redirect target. The downstream connect/3 opens a new QUIC connection to whatever the Location header named, and build_request_headers/4 serializes the unmodified headers into the QPACK-encoded request.

PoC

  1. Issue an HTTP/3 POST to an attacker-controlled origin with follow_redirect => true and an Authorization: Bearer ... header.
  2. The attacker's server responds 307 Location: https://other.host/collect.
  3. hackney opens a new connection to other.host and re-sends the original headers and body, including the bearer token and any Cookie headers.

Impact

Credential and request-body disclosure to attacker-controlled origins. Affects hackney 3.1.1 through 4.0.0 when using the HTTP/3 client with follow_redirect enabled. Any upstream that is malicious, compromised, or reachable via DNS/MITM can steal session tokens, bearer credentials, and POST bodies. CVSS v4.0: 6.0 (MEDIUM).

Resources

  • Introduction commit: https://github.com/benoitc/hackney/commit/e61b7d04b7826847e1efe614106ef4d580c78eab
  • Patch commit: https://github.com/benoitc/hackney/commit/c58d5b50bade146360b85caf3dc8065807b08246
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "hackney"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.1"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T21:56:29Z",
    "nvd_published_at": "2026-05-25T15:16:22Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe HTTP/3 redirect handler in `src/hackney_h3.erl` forwards the original request headers (`Authorization`, `Cookie`, `Proxy-Authorization`) and, for 307/308 responses, the original request body to the redirect target without checking whether the target host matches the origin. When `follow_redirect` is enabled and a server responds with a cross-origin `Location`, hackney delivers the caller\u0027s credentials verbatim to the attacker-controlled host. The main hackney HTTP/1 client has `maybe_strip_auth_on_redirect/2` (the fix for CVE-2018-1000007); the H3 client was added later without it.\n\n### Details\n\nIn `src/hackney_h3.erl`, `handle_redirect/11` (line 165) extracts the redirect target from the server-controlled `Location` header via `get_redirect_location/1` and resolves it with `resolve_redirect_url/2`, which accepts any absolute `http://` or `https://` URL. It then calls `do_request_with_redirect/8` passing the original `Headers` list unchanged. For 307/308 responses, `redirect_method/2` preserves the original method and body, so the POST body is also forwarded.\n\nNo comparison is made between the original URL\u0027s scheme, host, or port and the redirect target. The downstream `connect/3` opens a new QUIC connection to whatever the `Location` header named, and `build_request_headers/4` serializes the unmodified headers into the QPACK-encoded request.\n\n### PoC\n\n1. Issue an HTTP/3 POST to an attacker-controlled origin with `follow_redirect =\u003e true` and an `Authorization: Bearer ...` header.\n2. The attacker\u0027s server responds `307 Location: https://other.host/collect`.\n3. hackney opens a new connection to `other.host` and re-sends the original headers and body, including the bearer token and any `Cookie` headers.\n\n### Impact\n\nCredential and request-body disclosure to attacker-controlled origins. Affects hackney 3.1.1 through 4.0.0 when using the HTTP/3 client with `follow_redirect` enabled. Any upstream that is malicious, compromised, or reachable via DNS/MITM can steal session tokens, bearer credentials, and POST bodies. CVSS v4.0: **6.0 (MEDIUM)**.\n\n## Resources\n\n* Introduction commit: https://github.com/benoitc/hackney/commit/e61b7d04b7826847e1efe614106ef4d580c78eab\n* Patch commit: https://github.com/benoitc/hackney/commit/c58d5b50bade146360b85caf3dc8065807b08246",
  "id": "GHSA-h73q-4w9q-82h4",
  "modified": "2026-06-26T21:56:29Z",
  "published": "2026-06-26T21:56:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/hackney/security/advisories/GHSA-h73q-4w9q-82h4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47070"
    },
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/hackney/commit/c58d5b50bade146360b85caf3dc8065807b08246"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-47070.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/benoitc/hackney"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-47070"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…