PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47072 benoitc CVE debrief

CVE-2026-47072 documents a CRLF injection vulnerability in the hackney Erlang HTTP client, specifically within its WebSocket upgrade implementation. The flaw exists in versions 2.0.0 through 4.0.0, where user-controlled values for host, path, headers, and protocols are concatenated directly into raw HTTP/1.1 upgrade requests without sanitization of carriage return, line feed, or null characters. This allows attackers with control over these parameters to inject arbitrary HTTP headers, enabling request/response splitting attacks against upstream servers or intermediary proxies. The vulnerability was published on 2026-05-25 and last modified on 2026-05-26. A fix is available in version 4.0.1. The issue is rated CVSS 6.9 (Medium) with a CVSS 4.0 vector indicating network attack vector, low attack complexity, and significant integrity impact on the subsequent system. No known exploitation in ransomware campaigns has been reported.

Vendor
benoitc
Product
hackney
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations running Erlang/Elixir applications that use hackney for WebSocket connections, particularly those accepting user-controlled URLs or headers that are forwarded to upstream WebSocket services. Infrastructure teams operating reverse proxies or load balancers in front of such applications should also assess request smuggling exposure.

Technical summary

The hackney Erlang HTTP client's WebSocket module (hackney_ws) fails to neutralize CRLF sequences in four parameter injection sites: host, path, ExtraHeaders, and protocols. In init/1, these values are copied from caller-supplied opts into the internal #ws_data{} record. In do_handshake/1, they are spliced via binary concatenation into the raw HTTP/1.1 upgrade request without sanitization. An attacker controlling any of these four parameters can inject arbitrary HTTP headers, leading to credential spoofing, cache poisoning, or request smuggling through intermediary infrastructure. The vulnerability is exploitable when applications forward untrusted input (such as URL path segments or header values from external requests) directly into hackney_ws:start_link/1. The fix in commit 52310ca807e7b48441ba0e9129171f535313fdd1 implements proper CRLF and NUL character stripping at these injection points.

Defensive priority

medium

Recommended defensive actions

  • Upgrade hackney to version 4.0.1 or later
  • Audit application code for any forwarding of untrusted URL components or header values into hackney_ws:start_link/1 opts parameter
  • Implement input validation to sanitize host, path, headers, and protocols before passing to hackney WebSocket functions
  • Review proxy and load balancer configurations for request smuggling mitigations
  • Monitor application logs for anomalous HTTP header patterns in WebSocket upgrade requests

Evidence notes

Vulnerability description sourced from NVD record with CVE.org cross-reference. Affected version range and fix version confirmed through GitHub security advisory and commit reference. CVSS 4.0 vector and score from NVD metadata. Vendor attribution to benoitc/hackney project based on source references.

Official resources

2026-05-25