Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body
🔗 CVE IDs covered (1)
📋 Description
Summary
The HTTP/3 redirect handler in src/hackney_h3.erl forwards the original request headers (Authorization, Cookie, Proxy-Authorization) and, for 307/308 responses, the original request body to the redirect target without checking whether the target host matches the origin. When follow_redirect is enabled and a server responds with a cross-origin Location, hackney delivers the caller's credentials verbatim to the attacker-controlled host. The main hackney HTTP/1 client has maybe_strip_auth_on_redirect/2 (the fix for CVE-2018-1000007); the H3 client was added later without it.
Details
In src/hackney_h3.erl, handle_redirect/11 (line 165) extracts the redirect target from the server-controlled Location header via get_redirect_location/1 and resolves it with resolve_redirect_url/2, which accepts any absolute http:// or https:// URL. It then calls do_request_with_redirect/8 passing the original Headers list unchanged. For 307/308 responses, redirect_method/2 preserves the original method and body, so the POST body is also forwarded.
No comparison is made between the original URL's scheme, host, or port and the redirect target. The downstream connect/3 opens a new QUIC connection to whatever the Location header named, and build_request_headers/4 serializes the unmodified headers into the QPACK-encoded request.
PoC
- Issue an HTTP/3 POST to an attacker-controlled origin with
follow_redirect => trueand anAuthorization: Bearer ...header. - The attacker's server responds
307 Location: https://other.host/collect. - hackney opens a new connection to
other.hostand re-sends the original headers and body, including the bearer token and anyCookieheaders.
Impact
Credential and request-body disclosure to attacker-controlled origins. Affects hackney 3.1.1 through 4.0.0 when using the HTTP/3 client with follow_redirect enabled. Any upstream that is malicious, compromised, or reachable via DNS/MITM can steal session tokens, bearer credentials, and POST bodies. CVSS v4.0: 6.0 (MEDIUM).
Resources
- Introduction commit: https://github.com/benoitc/hackney/commit/e61b7d04b7826847e1efe614106ef4d580c78eab
- Patch commit: https://github.com/benoitc/hackney/commit/c58d5b50bade146360b85caf3dc8065807b08246
🎯 Affected products1
- erlang/hackney:>= 3.1.1, < 4.0.1
🔗 References (6)
- https://github.com/benoitc/hackney/security/advisories/GHSA-h73q-4w9q-82h4
- https://nvd.nist.gov/vuln/detail/CVE-2026-47070
- https://github.com/benoitc/hackney/commit/c58d5b50bade146360b85caf3dc8065807b08246
- https://cna.erlef.org/cves/CVE-2026-47070.html
- https://osv.dev/vulnerability/EEF-CVE-2026-47070
- https://github.com/advisories/GHSA-h73q-4w9q-82h4