CVE-2026-47069: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') in benoitc hackney
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option — for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path — can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response. This issue affects hackney: from 0.9.0 before 4.0.1.
AI Analysis
Technical Summary
The vulnerability in benoitc hackney's hackney_cookie:setcookie/3 function involves improper neutralization of CRLF sequences in the domain and path options of cookies. While the function validates the Name and Value arguments against CRLF and control characters, it concatenates the domain and path options without validation, enabling an attacker who can control these options (e.g., via Host header or request path) to inject CRLF sequences and arbitrary additional Set-Cookie headers, resulting in HTTP response splitting. This affects hackney versions from 0.9.0 before 4.0.1.
Potential Impact
An attacker able to supply the domain or path options for cookies can inject CRLF sequences into HTTP responses, leading to HTTP response splitting. This may allow manipulation of HTTP headers and potentially affect client-side behavior. The CVSS score of 2.1 reflects a low severity impact with limited attack vector and complexity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid forwarding untrusted input such as Host headers or request paths directly into cookie domain or path options. Implement input validation or sanitization on these values before use in hackney_cookie:setcookie/3.
CVE-2026-47069: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') in benoitc hackney
Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option — for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path — can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response. This issue affects hackney: from 0.9.0 before 4.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in benoitc hackney's hackney_cookie:setcookie/3 function involves improper neutralization of CRLF sequences in the domain and path options of cookies. While the function validates the Name and Value arguments against CRLF and control characters, it concatenates the domain and path options without validation, enabling an attacker who can control these options (e.g., via Host header or request path) to inject CRLF sequences and arbitrary additional Set-Cookie headers, resulting in HTTP response splitting. This affects hackney versions from 0.9.0 before 4.0.1.
Potential Impact
An attacker able to supply the domain or path options for cookies can inject CRLF sequences into HTTP responses, leading to HTTP response splitting. This may allow manipulation of HTTP headers and potentially affect client-side behavior. The CVSS score of 2.1 reflects a low severity impact with limited attack vector and complexity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid forwarding untrusted input such as Host headers or request paths directly into cookie domain or path options. Implement input validation or sanitization on these values before use in hackney_cookie:setcookie/3.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-18T17:28:08.322Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a149bd3a5ae1af1aad77315
Added to database: 5/25/2026, 6:58:27 PM
Last enriched: 5/25/2026, 6:58:50 PM
Last updated: 5/26/2026, 7:54:29 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.