CVE-2026-47072 Overview
CVE-2026-47072 is a Carriage Return Line Feed (CRLF) injection vulnerability in the benoitc/hackney Erlang HTTP client library. The flaw exists in the WebSocket upgrade code path in src/hackney_ws.erl, where caller-supplied options including host, path, headers, and protocols are concatenated directly into the raw HTTP/1.1 upgrade request without CRLF or NUL stripping. An attacker who controls any of these options can inject arbitrary HTTP headers into the outbound WebSocket upgrade request. The issue affects hackney from version 2.0.0 before 4.0.1 and is tracked under CWE-93.
Critical Impact
Successful exploitation enables HTTP request/response splitting, credential spoofing toward upstream servers, log and cache poisoning, and request smuggling through intermediary proxies.
Affected Products
- benoitc hackney 2.0.0 through 4.0.0
- Erlang applications using hackney_ws:start_link/1 with untrusted input
- Downstream libraries depending on hackney WebSocket client functionality
Discovery Timeline
- 2026-05-25 - CVE CVE-2026-47072 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-47072
Vulnerability Analysis
The hackney library is a widely used HTTP client for Erlang and Elixir applications. The WebSocket upgrade implementation in src/hackney_ws.erl constructs the HTTP/1.1 upgrade request by binary concatenation. The init/1 function copies the host, path, ExtraHeaders, and protocols values from the caller-supplied options map into the internal #ws_data{} record. The do_handshake/1 function then splices those values verbatim into the outgoing request bytes.
No sanitization layer rejects or escapes embedded \r\n or \\x00 bytes before the request is sent. As a result, any of the four fields can carry attacker-controlled line terminators that terminate the current header and start new ones.
Root Cause
The root cause is missing input neutralization at four injection sites in the WebSocket handshake builder. The library trusts that caller-supplied option values are syntactically safe for direct use in an HTTP message. Applications that forward URL components or header values from untrusted sources into hackney_ws:start_link/1 inherit this trust failure.
Attack Vector
An attacker who influences any of the four controllable fields embeds CRLF sequences into the value. Those sequences terminate the legitimate header line and inject arbitrary headers, an empty line, or even a complete second request body into the TCP stream. Downstream effects depend on the topology: a vulnerable upstream WebSocket server may accept spoofed authentication headers, an intermediary proxy may desynchronize and route smuggled requests, and cache or log infrastructure may record poisoned entries. The fix in commit 52310ca807e7b48441ba0e9129171f535313fdd1 adds CRLF and NUL validation to reject malicious option values before transmission.
Detection Methods for CVE-2026-47072
Indicators of Compromise
- Outbound WebSocket upgrade requests containing unexpected header lines or duplicate Host, Authorization, or Cookie headers
- Proxy or upstream server logs showing requests with embedded %0d%0a or raw CRLF sequences in URL or header fields
- Anomalous cache entries keyed on URLs that contain encoded line terminators
Detection Strategies
- Inventory all Erlang and Elixir applications and resolve the hackney dependency version through rebar.lock or mix.lock to flag versions in the 2.0.0 to 4.0.0 range
- Perform static analysis on call sites of hackney_ws:start_link/1 and hackney:request/5 to identify flows where user input reaches host, path, headers, or protocols options
- Inspect outbound HTTP traffic for upgrade requests with multiple header occurrences or non-printable byte sequences
Monitoring Recommendations
- Enable structured logging on reverse proxies and WAFs to capture raw request lines and flag CRLF artifacts in client requests
- Alert on WebSocket connections that present headers inconsistent with the configured application client profile
- Correlate authentication anomalies on upstream services with the timing of WebSocket handshake activity
How to Mitigate CVE-2026-47072
Immediate Actions Required
- Upgrade hackney to version 4.0.1 or later across all Erlang and Elixir services
- Audit application code that constructs WebSocket clients to ensure host, path, headers, and protocols are never sourced directly from untrusted input
- Rebuild and redeploy release artifacts to ensure the patched dependency is loaded at runtime
Patch Information
The fix is published in hackney 4.0.1. The upstream commit 52310ca807e7b48441ba0e9129171f535313fdd1 adds CRLF and NUL validation to the WebSocket upgrade path. See the GitHub Security Advisory GHSA-f9vr-g2g2-x9fg and the CNA report for full coordination details.
Workarounds
- Validate and reject any caller-supplied option value containing \r, \n, or \\x00 before invoking hackney_ws:start_link/1
- Constrain WebSocket client options to allow-listed values when possible rather than passing through external data
- Place an egress proxy in front of hackney clients that normalizes outbound HTTP headers and strips CRLF sequences
# Example dependency pin for rebar3
{deps, [
{hackney, "4.0.1"}
]}.
# Example dependency pin for Mix (Elixir)
defp deps do
[
{:hackney, "~> 4.0.1"}
]
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
