CVE-2026-47072
Received Received - Intake
CRLF Injection in hackney WebSocket Upgrade

Publication date: 2026-05-25

Last updated on: 2026-05-25

Assigner: EEF

Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options β€” for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 β€” can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies. This issue affects hackney: from 2.0.0 before 4.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-25
Generated
2026-05-26
AI Q&A
2026-05-26
EPSS Evaluated
N/A
NVD
CVE-2026-47072
EUVD
EUVD-2026-31690
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
benoitc hackney From 2.0.0 (inc) to 4.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an Improper Neutralization of CRLF Sequences, also known as CRLF Injection, in the benoitc hackney library. It occurs in the WebSocket upgrade code where user-supplied options such as host, path, headers, and protocols are copied directly into the HTTP/1.1 upgrade request without any filtering or removal of CRLF (Carriage Return Line Feed) or NUL characters. This allows an attacker who controls any of these inputs to inject arbitrary HTTP headers into the outbound WebSocket upgrade request.

Because no sanitization is performed, an attacker can exploit this to perform HTTP header injection, which can lead to credential spoofing toward upstream servers, log and cache poisoning, or request smuggling through intermediary proxies.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to inject arbitrary HTTP headers into WebSocket upgrade requests. This can lead to several security issues including:

  • Credential spoofing toward upstream servers, potentially allowing attackers to impersonate legitimate users or services.
  • Log and cache poisoning, which can corrupt logs or cached data, making it difficult to detect attacks or causing incorrect data to be served.
  • Request smuggling via intermediary proxies, which can be used to bypass security controls or manipulate requests and responses.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart