CVE-2026-47072
Analyzed Analyzed - Analysis Complete
CRLF Injection in hackney WebSocket Upgrade

Publication date: 2026-05-25

Last updated on: 2026-05-28

Assigner: EEF

Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options β€” for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 β€” can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies. This issue affects hackney: from 2.0.0 before 4.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-28
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-47072
EUVD
EUVD-2026-31690
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
benoitc hackney From 2.0.0 (inc) to 4.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Neutralization of CRLF Sequences, also known as CRLF Injection, in the benoitc hackney library. It occurs in the WebSocket upgrade code where user-supplied options such as host, path, headers, and protocols are copied directly into the HTTP/1.1 upgrade request without any filtering or removal of CRLF (Carriage Return Line Feed) or NUL characters. This allows an attacker who controls any of these inputs to inject arbitrary HTTP headers into the outbound WebSocket upgrade request.

Because no sanitization is performed, an attacker can exploit this to perform HTTP header injection, which can lead to credential spoofing toward upstream servers, log and cache poisoning, or request smuggling through intermediary proxies.

Impact Analysis

This vulnerability can impact you by allowing attackers to inject arbitrary HTTP headers into WebSocket upgrade requests. This can lead to several security issues including:

  • Credential spoofing toward upstream servers, potentially allowing attackers to impersonate legitimate users or services.
  • Log and cache poisoning, which can corrupt logs or cached data, making it difficult to detect attacks or causing incorrect data to be served.
  • Request smuggling via intermediary proxies, which can be used to bypass security controls or manipulate requests and responses.
Compliance Impact

This vulnerability allows an attacker to inject arbitrary HTTP headers into WebSocket upgrade requests, which can lead to credential spoofing, log and cache poisoning, and request smuggling.

Such impacts can compromise the integrity and confidentiality of data transmitted or logged by the affected system, potentially leading to unauthorized access or data leakage.

Consequently, exploitation of this vulnerability could result in non-compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.

Detection Guidance

This vulnerability involves CRLF injection in WebSocket upgrade requests where user-supplied values like host, path, headers, and protocols are concatenated without sanitization. To detect it on your network or system, you can monitor WebSocket upgrade requests for suspicious or malformed headers containing CR (carriage return) or LF (line feed) characters that could indicate injection attempts.

You can use network traffic analysis tools such as tcpdump or Wireshark to capture WebSocket upgrade requests and inspect the headers for unexpected CRLF sequences or header splitting.

  • Use tcpdump to capture WebSocket upgrade requests on port 80 or 443: tcpdump -A -s 0 'tcp port 80 or tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Use Wireshark to filter HTTP upgrade requests by applying the filter: http.request.method == "GET" and http.header contains "Upgrade: websocket"
  • Inspect captured requests for headers containing CR or LF characters or multiple headers injected via CRLF sequences.

Additionally, reviewing application logs for unusual or malformed WebSocket upgrade requests or errors related to handshake failures may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade the hackney library to version 4.0.1 or later, where the vulnerability has been fixed by validating and rejecting any CR, LF, or NUL bytes in the WebSocket upgrade request fields before sending the handshake.

If upgrading immediately is not possible, ensure that any user-supplied input used in WebSocket upgrade requests (host, path, headers, protocols) is sanitized to remove or encode CR, LF, and NUL characters to prevent injection.

Monitor and restrict untrusted input that can influence WebSocket upgrade requests, and consider implementing network-level protections such as Web Application Firewalls (WAFs) to detect and block suspicious header injection attempts.

Review and update your security policies to handle and log handshake errors like `invalid_handshake_header` which indicate rejected malicious requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47072. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart