Ten CVEs Disclosed in Hackney HTTP Client: CRLF Injection, Resource Exhaustion, and SSRF
A batch of ten vulnerabilities was disclosed on May 25, 2026, in the widely used Erlang HTTP client library Hackney, including CRLF injection, resource exhaustion, and SSRF flaws.
On May 25, 2026, a batch of ten CVEs was published for Hackney, the popular Erlang HTTP client library maintained by Benoitc. The vulnerabilities span multiple protocol handlers — HTTP/1.1, HTTP/3, WebSocket, and SOCKS5 — and include CRLF injection, uncontrolled resource consumption, server-side request forgery, and sensitive data exposure. Seven of the ten carry a CVSSv3 score of 7.5 (High), while the remaining three are rated Medium (6.5, 6.1, and 5.3). The breadth of affected components means that any application using Hackney to make outbound HTTP requests could be impacted.
Three CVEs in the batch deal with improper neutralization of CRLF sequences. CVE-2026-47075 (CVSS 7.5) affects the HTTP/1.1 code path: Hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the request target. An attacker who controls part of a URL passed to Hackney can inject headers or split the request entirely. CVE-2026-47072 (CVSS 7.5) targets the WebSocket upgrade path in src/hackney_ws.erl, where the host, path, headers, and protocols options are copied without sanitization, enabling HTTP request/response splitting. CVE-2026-47069 (CVSS 5.3) is a more constrained CRLF issue in the cookie handler, where domain and path options are concatenated verbatim.
Five CVEs describe allocation or resource exhaustion bugs that can lead to denial of service. CVE-2026-47077 (CVSS 7.5) targets the HTTP/3 response body handler: hackney_h3:await_response_loop/6 accumulates the entire response body in memory with no size cap, and the per-message inactivity timer resets on every received chunk, meaning a slow drip of data can keep the connection alive indefinitely while memory grows without bound. CVE-2026-47073 (CVSS 7.5) covers three unbounded memory consumption paths in the WebSocket client. CVE-2026-47071 (CVSS 7.5) affects the SOCKS5 transport, where the TLS upgrade uses an infinite timeout. CVE-2026-47067 (CVSS 7.5) is a particularly insidious bug in the URL parser: every unrecognized URL scheme is converted to a permanent BEAM atom via binary_to_atom/2, and BEAM atoms are never garbage-collected, so an attacker who can supply arbitrary URLs can exhaust the atom table, crashing the entire Erlang VM. CVE-2026-47066 (CVSS 7.5) describes an infinite loop in the Alt-Svc response header parser.
Two additional vulnerabilities involve server-side request forgery and sensitive data exposure. CVE-2026-47076 (CVSS 6.5) is an interpretation conflict leading to SSRF: the hackney_url:normalize/2 function URL-decodes the host component after parsing, allowing URLs such as http://127.0.0.1%2eexample%2ecom/ to bypass host-based allowlists. CVE-2026-47070 (CVSS 6.1) exposes sensitive data through the HTTP/3 redirect handler: when follow_redirect is enabled, original request headers are passed unchanged to the redirect target without any cross-origin check, potentially leaking authorization tokens or cookies to an attacker-controlled server.
As of the disclosure date, no patch has been released. Users of Hackney should monitor the project's repository for fixes. In the interim, mitigations include: validating and sanitizing all user-supplied URLs before passing them to Hackney; avoiding the use of follow_redirect with sensitive headers in HTTP/3 contexts; setting explicit timeouts on all connections; and limiting exposure to untrusted URL schemes. Given that Hackney is a foundational HTTP library in the Erlang ecosystem — used by projects such as Elixir's HTTPoison and Tesla — the impact of these vulnerabilities is broad.
This disclosure is notable not only for the sheer number of CVEs (ten) but for the diversity of affected protocol handlers and bug classes. The atom-exhaustion bug (CVE-2026-47067) is particularly severe because it can crash the entire BEAM VM, not just the calling process. The CRLF injection bugs (CVE-2026-47075, CVE-2026-47072) enable request splitting, which can lead to cache poisoning or session hijacking in downstream proxies. The lack of a patch at disclosure time means that organizations relying on Hackney must implement workarounds or temporarily switch to alternative HTTP clients until fixes are available.