CVE-2026-47075
Improper CRLF Injection in hackney HTTP Client
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| benoitc | hackney | From 0 (inc) to 4.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Neutralization of CRLF Sequences issue in the benoitc hackney library. It allows HTTP Request Splitting because hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target.
Specifically, hackney_url:make_url/3 passes the query string directly without validating or escaping these characters, which should be percent-encoded according to RFC 3986 Section 3.4. An attacker who can control part or all of a URL passed to hackney can inject raw CRLF sequences into the query string, causing the HTTP request to be split or arbitrary HTTP headers to be injected.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to perform HTTP Request Splitting attacks. This means the attacker can inject arbitrary HTTP headers or split the HTTP request, potentially leading to security issues such as cache poisoning, cross-site scripting (XSS), session fixation, or other malicious behaviors depending on how the HTTP requests are processed downstream.