VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 10 CVEs

Hackney HTTP Client: Ten CVEs Disclosed in a Single Batch — CRLF Injection, Resource Exhaustion, and More

Ten vulnerabilities spanning CRLF injection, resource exhaustion, SSRF, and sensitive data exposure were disclosed together on May 25, 2026, in the widely used Erlang HTTP client library Hackney.

Key findings

  • Ten CVEs disclosed in a single batch on May 25, 2026, affecting the Erlang HTTP client Hackney
  • Seven CVEs rated High (CVSS 7.5); three rated Medium (6.5, 6.1, 5.3)
  • Three CRLF injection bugs enable HTTP request/response splitting across HTTP/1.1, WebSocket, and cookie handlers
  • CVE-2026-47067 can exhaust the BEAM atom table via unrecognized URL schemes, crashing the entire Erlang VM
  • CVE-2026-47076 allows SSRF via URL-decoding the host after parsing, bypassing host-based allowlists
  • No patch available as of disclosure date; users should monitor the Hackney repository for fixes

On May 25, 2026, a batch of ten CVEs was published for Hackney, the popular Erlang HTTP client library maintained by Benoitc. The vulnerabilities span multiple protocol handlers — HTTP/1.1, HTTP/3, WebSocket, and SOCKS5 — and include CRLF injection, uncontrolled resource consumption, server-side request forgery, and sensitive data exposure. Seven of the ten carry a CVSSv3 score of 7.5 (High), while the remaining three are rated Medium (6.5, 6.1, and 5.3). The breadth of affected components means that any application using Hackney to make outbound HTTP requests could be impacted.

CRLF Injection and Request/Response Splitting

Three CVEs in the batch deal with improper neutralization of CRLF sequences. CVE-2026-47075 (CVSS 7.5) affects the HTTP/1.1 code path: Hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the request target. An attacker who controls part of a URL passed to Hackney can inject headers or split the request entirely.

CVE-2026-47072 (CVSS 7.5) targets the WebSocket upgrade path in src/hackney_ws.erl. The host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map are copied into the internal #ws_data{} record without sanitization, enabling HTTP request/response splitting via CRLF injection.

CVE-2026-47069 (CVSS 5.3) is a more constrained CRLF issue in the cookie handler. The hackney_cookie:setcookie/3 function validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim, allowing HTTP response splitting through those fields.

Resource Exhaustion and Denial of Service

Five CVEs describe allocation or resource exhaustion bugs that can lead to denial of service. CVE-2026-47077 (CVSS 7.5) targets the HTTP/3 response body handler: hackney_h3:await_response_loop/6 accumulates the entire response body in memory with no size cap. The per-message inactivity timer resets on every received chunk, meaning a slow drip of data can keep the connection alive indefinitely while memory grows without bound.

CVE-2026-47073 (CVSS 7.5) covers three unbounded memory consumption paths in the WebSocket client (src/hackney_ws.erl). The read_handshake_response/3 function accumulates received bytes into a growing buffer with no size cap, and two additional code paths in the same module similarly lack limits.

CVE-2026-47071 (CVSS 7.5) affects the SOCKS5 transport in src/hackney_socks5.erl. While the SOCKS5 negotiation phase correctly applies the caller-supplied timeout, the subsequent TLS upgrade uses the two-argument form ssl:connect/2, which defaults to an infinite timeout. A malicious SOCKS5 proxy can stall the TLS handshake indefinitely, tying up resources.

CVE-2026-47067 (CVSS 7.5) is a particularly insidious bug in the URL parser (src/hackney_url.erl). Every unrecognized URL scheme is converted to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected, and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply arbitrary URLs can exhaust the atom table, crashing the entire Erlang VM.

CVE-2026-47066 (CVSS 7.5) describes an infinite loop in the Alt-Svc response header parser (src/hackney_altsvc.erl). When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns without advancing the parse position, causing the caller to loop forever on the same input.

Server-Side Request Forgery and Sensitive Data Exposure

CVE-2026-47076 (CVSS 6.5) is an interpretation conflict leading to server-side request forgery (SSRF). The hackney_url:normalize/2 function URL-decodes the host component *after* the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://127.0.0.1%2eexample%2ecom/ can bypass host-based allowlists that check the decoded form.

CVE-2026-47070 (CVSS 6.1) exposes sensitive data through the HTTP/3 redirect handler (src/hackney_h3.erl). When a client issues an HTTP/3 request with follow_redirect enabled, the original request headers — which may contain authorization tokens, cookies, or API keys — are passed unchanged to the redirect target without any cross-origin check. This can leak credentials to an attacker-controlled server.

Response and Mitigation

As of the disclosure date, no patch has been released. Users of Hackney should monitor the project's repository for fixes. In the interim, mitigations include: validating and sanitizing all user-supplied URLs before passing them to Hackney; avoiding the use of follow_redirect with sensitive headers in HTTP/3 contexts; setting explicit timeouts on all connections; and limiting exposure to untrusted URL schemes. Given that Hackney is a foundational HTTP library in the Erlang ecosystem — used by projects such as Elixir's HTTPoison and Tesla — the impact of these vulnerabilities is broad.

Why This Batch Matters

This disclosure is notable not only for the sheer number of CVEs (ten) but for the diversity of affected protocol handlers and bug classes. The atom-exhaustion bug (CVE-2026-47067) is particularly severe because it can crash the entire BEAM VM, not just the calling process. The CRLF injection bugs (CVE-2026-47075, CVE-2026-47072, CVE-2026-47069) enable request smuggling and response splitting, which can have cascading effects on downstream systems. Users of Hackney should treat this batch with high priority and apply patches as soon as they become available.

AI-written article. Grounded in 10 CVE records listed below.