CVE-2025-1211

Name of the Vulnerable Software and Affected Versions: hackney versions 0.0.0 and later

Description: The issue arises from improper parsing of URLs by the URI built-in module and hackney, leading to Server-side Request Forgery (SSRF). Given a URL like http://127.0.0.1?@127.2.2.2/, the URI function correctly identifies the host as 127.0.0.1, but hackney incorrectly refers to the host as 127.2.2.2/. This can be exploited when users rely on the URL function for host checking.

Recommendations: For hackney versions 0.0.0 and later, consider disabling the URL parsing functionality until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the URI module for host checking in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.