Hackney has CRLF / header injection in WebSocket upgrade request
🔗 CVE IDs covered (1)
📋 Description
Summary
CRLF injection in hackney's WebSocket upgrade request builder (src/hackney_ws.erl). init/1 copies the host, path, headers, and protocols options from the caller-supplied opts map verbatim into #ws_data{}, and do_handshake/1 splices them directly into the raw HTTP/1.1 upgrade request by binary concatenation with no \r\n or \0 stripping. A caller that passes any of these fields from untrusted input can inject arbitrary header lines into the outbound upgrade request.
Details
do_handshake/1 builds the upgrade request at several concatenation sites:
- Host header (lines 583–590): the host binary is written straight into
Host: <host>:<port>\r\n. - Sec-WebSocket-Protocol (lines 601–602): protocol tokens are joined with
,and appended as a header line. - Extra headers (line 606): caller-supplied
{Name, Value}tuples are concatenated asName: Value\r\nwith no sanitization of either component. - Request path (line 611): the path is interpolated into the
GET <path> HTTP/1.1\r\nrequest line.
None of these sites reject \r, \n, or \0. A header value like <<"benign\r\nAuthorization: Bearer token">> produces two distinct header lines on the wire. A path with an embedded \r\n rewrites the request line itself.
PoC
- Call
:hackney_ws.start_link/1withheaders: [{"X-User", "v\r\nAuthorization: Bearer attacker"}]. - Connect to a raw TCP listener and capture the bytes hackney writes.
- The request contains a standalone
Authorization: Bearer attackerline that the upstream WebSocket server parses as a legitimate header.
Impact
Header injection / request smuggling in outbound WebSocket upgrades. Affects hackney 2.0.0 through 4.0.0 wherever host, path, headers, or protocols options are populated from network or user input. Consequences include forging authentication headers toward the upstream server, log and cache poisoning, and request smuggling through intermediary proxies. CVSS v4.0: 6.9 (MEDIUM).
Resources
- Introduction commit: https://github.com/benoitc/hackney/commit/690cecaf236fba49526da404a5bc889a24367a3e
- Patch commit: https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1
🎯 Affected products1
- erlang/hackney:>= 2.0.0, < 4.0.1
🔗 References (6)
- https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg
- https://nvd.nist.gov/vuln/detail/CVE-2026-47072
- https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1
- https://cna.erlef.org/cves/CVE-2026-47072.html
- https://osv.dev/vulnerability/EEF-CVE-2026-47072
- https://github.com/advisories/GHSA-f9vr-g2g2-x9fg