CVE-2026-47069
CRLF Injection in hackney HTTP Library
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| benoitc | hackney | From 0.9.0 (inc) to 4.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Neutralization of CRLF Sequences, also known as CRLF Injection, found in the benoitc hackney library. Specifically, the hackney_cookie:setcookie/3 function validates the Name and Value arguments to prevent CRLF and control characters, but it does not validate the domain and path options before concatenating them into the HTTP response. An attacker who can control either the domain or pathβsuch as by manipulating the Host header or request pathβcan inject CRLF sequences and additional Set-Cookie headers into the HTTP response, leading to HTTP Response Splitting.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform HTTP Response Splitting by injecting CRLF sequences into HTTP responses. This can lead to security issues such as web cache poisoning, cross-site scripting (XSS), session fixation, or other attacks that rely on manipulating HTTP headers or responses.