Ganbagana

**Name of the Vulnerable Software and Affected Versions** benoitc hackney versions 0.13.0 through 4.0.0 **Description** An interpretation conflict allows Server Side Request Forgery (SSRF), a flaw where an attacker can induce the server to make requests to an unintended location. The function `hackney url:normalize/2` URL-decodes the host component after the URL has been parsed into a `#hackney url{}` record. Since OTP's `uri string:parse/1` and `inet:parse address/1` do not decode percent-escapes in the host, a URL containing percent-encoded characters can bypass allowlist validators that do not recognize the encoded string as an IP address. Subsequently, the normalizer decodes the host (e.g., converting `%31%32%37%2E%30%2E%30%2E%31` to `127.0.0.1`), enabling TCP connections to the loopback interface, cloud instance metadata services (169.254.169.254), RFC1918 networks, and local admin interfaces. This occurs because `hackney:request/5` always invokes `hackney url:normalize/2` without an opt-out mechanism for requests using binary or list URLs. **Recommendations** Update benoitc hackney to version 4.0.1.