PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47069 benoitc CVE debrief

A CRLF injection vulnerability exists in the hackney Erlang HTTP client library, specifically within the `hackney_cookie:setcookie/3` function. While the function validates cookie names and values against CRLF and control characters, it fails to apply equivalent sanitization to the `domain` and `path` options. An attacker who can influence these options—such as through a crafted Host header or request path—can inject CRLF sequences to split HTTP responses and inject arbitrary Set-Cookie headers. This affects hackney versions from 0.9.0 through 4.0.0. The vulnerability was disclosed on 2026-05-25 and last modified on 2026-05-26. A fix is available in version 4.0.1.

Vendor
benoitc
Product
hackney
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-27
Advisory published
2026-05-25
Advisory updated
2026-05-27

Who should care

Organizations using the hackney Erlang HTTP client library, particularly those handling cookies with domain or path values derived from user input such as Host headers or request paths. This includes Elixir and Erlang web applications that rely on hackney for HTTP client functionality.

Technical summary

The hackney Erlang HTTP client library contains a CRLF injection vulnerability in its cookie handling. The `hackney_cookie:setcookie/3` function properly validates cookie names and values against CRLF sequences but concatenates the `domain` and `path` options directly into the output iolist without sanitization. This allows attackers controlling these options to perform HTTP response splitting by injecting CRLF sequences followed by arbitrary Set-Cookie headers. The attack surface includes scenarios where Host header values are forwarded as cookie domains or request paths are forwarded as cookie paths. The vulnerability is rated LOW severity (CVSS 4.0: 2.1) with local attack vector and low integrity impact.

Defensive priority

medium

Recommended defensive actions

  • Upgrade hackney to version 4.0.1 or later to obtain the fix for CRLF injection in cookie domain and path handling
  • Review application code for any direct usage of `hackney_cookie:setcookie/3` with user-controlled domain or path values
  • Implement input validation for Host headers and request paths before passing them to cookie-setting functions
  • Monitor HTTP response headers in production for unexpected Set-Cookie injections
  • If immediate upgrade is not possible, sanitize domain and path inputs by stripping CRLF (0x0D, 0x0A) and control characters before passing to hackney cookie functions

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The affected version range (0.9.0 before 4.0.1) and specific function (`hackney_cookie:setcookie/3`) are confirmed in the CVE description. The fix commit (8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540) is referenced in source metadata. The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N) indicates local attack vector with low integrity impact, consistent with the LOW severity rating of 2.1.

Official resources

2026-05-25