PT-2026-43066 · Hexpm · Hackney

Benoit Chesneau

+2

·

Published

2026-05-25

·

Updated

2026-06-26

·

CVE-2026-47069

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions hackney versions 0.9.0 through 4.0.0
Description Improper Neutralization of CRLF Sequences, also known as CRLF Injection, allows HTTP Response Splitting. The setcookie/3 function in src/hackney cookie.erl validates Name and Value arguments against CRLF and control characters but concatenates the domain and path options into the output iolist without equivalent checks. An attacker controlling these options, such as by providing a Host header value as the cookie domain or a request path as the cookie path, can inject literal CRLF sequences and arbitrary additional Set-Cookie headers into the HTTP response.
Recommendations Update to version 4.0.1.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47069
GHSA-MP55-P8C9-RFW2

Affected Products

Hackney