Listen to this Post
The vulnerability arises because `hackney_url:make_url/3` does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before building the HTTP/1.1 request target.
RFC 3986 Section 3.4 requires such characters to be percent-encoded, but the library passes the query binary directly without validation or escaping.
An attacker who controls any portion of the URL passed to hackney can inject raw CRLF sequences into the query string.
These sequences are then sent as HTTP line breaks in the request target, allowing the injection of arbitrary HTTP headers or the splitting of the HTTP request.
For example, if a URL contains a query like ?q=x HTTP/1.1\r\nX-Injected: yes\r\nX:, the resulting request line becomes:
`GET /?q=x HTTP/1.1 X-Injected: yes X: HTTP/1.1 Host: …`
The server then interprets `X-Injected: yes` as a legitimate header, enabling header injection and request smuggling through proxies.
The issue affects all hackney versions before 4.0.1, which was released on 2026-05-25 to address this and nine other security flaws.
The patch introduces a `valid_request_target/1` check that rejects any request target containing \r, \n, or NUL bytes before the request reaches the socket.
DailyCVE Form:
Platform: Erlang hackney client
Version: <4.0.1
Vulnerability: CRLF Injection
Severity: High (7.5)
date: 2026-05-25
Prediction: Already patched
What Undercode Say:
Confirm vulnerable version
rebar3 tree | grep hackney
PoC: listen on a raw TCP port
nc -lvnp 8080
Trigger injection (from an Erlang shell or a calling application)
hackney:get("http://127.0.0.1:8080/?q=x HTTP/1.1\r\nX-Injected: yes\r\nX:").
Observe the injected header in the netcat output
Exploit:
- Craft a URL containing `\r\n` sequences in the query parameter.
- Feed the malicious URL to a hackney request function (e.g.,
hackney:get/1,hackney:post/3). - Inject extra HTTP headers, modify existing headers (e.g.,
Authorization,Host,X-Forwarded-For), or split the request through a proxy.
Protection:
- Upgrade to hackney 4.0.1 or later (the patch rejects invalid request targets).
- If upgrade is not possible, validate and percent-encode all user‑supplied URL components before passing them to hackney.
- Use a Web Application Firewall (WAF) to detect and block CRLF sequences in outgoing requests.
Impact:
- Header Injection – Attackers can insert arbitrary HTTP headers, potentially overriding security‑sensitive ones (e.g.,
Host,Authorization). - Request Splitting – Malformed requests can be split into two separate HTTP requests, leading to cache poisoning, session hijacking, or bypass of security controls.
- Smuggling Through Proxies – Intermediary caches or reverse proxies may interpret the split request differently, enabling request smuggling attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

