CVE-2026-47072: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') in benoitc hackney
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies. This issue affects hackney: from 2.0.0 before 4.0.1.
AI Analysis
Technical Summary
The vulnerability CVE-2026-47072 in benoitc hackney (versions 2.0.0 to before 4.0.1) is due to improper neutralization of CRLF sequences in the WebSocket upgrade request construction. The code copies caller-supplied options (host, path, headers, protocols) into an internal record and concatenates them verbatim into the raw HTTP/1.1 upgrade request without stripping CRLF or NUL characters. This allows attackers controlling these inputs to inject arbitrary HTTP headers, enabling HTTP request/response splitting attacks such as header injection, credential spoofing, log and cache poisoning, or request smuggling via intermediary proxies.
Potential Impact
An attacker who can control any of the WebSocket upgrade options (host, path, headers, protocols) can inject arbitrary HTTP headers into outbound upgrade requests. This can lead to HTTP request/response splitting attacks, including header injection, credential spoofing toward upstream servers, log and cache poisoning, and request smuggling through intermediary proxies. These impacts can undermine the integrity and security of HTTP communications involving the hackney library.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, users should avoid passing untrusted input into the WebSocket upgrade options (host, path, headers, protocols) to prevent injection. Monitor vendor communications for updates and apply any official patches once released.
CVE-2026-47072: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') in benoitc hackney
Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies. This issue affects hackney: from 2.0.0 before 4.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-47072 in benoitc hackney (versions 2.0.0 to before 4.0.1) is due to improper neutralization of CRLF sequences in the WebSocket upgrade request construction. The code copies caller-supplied options (host, path, headers, protocols) into an internal record and concatenates them verbatim into the raw HTTP/1.1 upgrade request without stripping CRLF or NUL characters. This allows attackers controlling these inputs to inject arbitrary HTTP headers, enabling HTTP request/response splitting attacks such as header injection, credential spoofing, log and cache poisoning, or request smuggling via intermediary proxies.
Potential Impact
An attacker who can control any of the WebSocket upgrade options (host, path, headers, protocols) can inject arbitrary HTTP headers into outbound upgrade requests. This can lead to HTTP request/response splitting attacks, including header injection, credential spoofing toward upstream servers, log and cache poisoning, and request smuggling through intermediary proxies. These impacts can undermine the integrity and security of HTTP communications involving the hackney library.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, users should avoid passing untrusted input into the WebSocket upgrade options (host, path, headers, protocols) to prevent injection. Monitor vendor communications for updates and apply any official patches once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-18T17:28:08.322Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a149bd3a5ae1af1aad77327
Added to database: 5/25/2026, 6:58:27 PM
Last enriched: 5/25/2026, 6:59:13 PM
Last updated: 5/26/2026, 7:53:46 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.