CVE-2026-47075

HIGH

CR/LF injection in query parameter in hackney

Title source: cna

Description

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request. This issue affects hackney: from 0 before 4.0.1.

References (4)

Core 4

Core References

Vendor Advisory vendor-advisory related

https://github.com/benoitc/hackney/security/advisories/GHSA-j9wq-vxxc-94wf

Patch patch

https://github.com/benoitc/hackney/commit/ca73dd0aba0ed557449c18288bf07241671a43c9

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0039

EPSS Percentile 30.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (2)

benoitc/hackney < 4.0.1 (2 CPE variants)

benoitc/hackney 8bb1a359a81ae58567c84f8d24564e9742e6f2bd - ca73dd0aba0ed557449c18288bf07241671a43c9

Published May 25, 2026

Tracked Since May 25, 2026