PT-2026-43072 · Benoitc · Hackney

Benoit Chesneau

+2

·

Published

2026-05-25

·

Updated

2026-06-26

·

CVE-2026-47076

CVSS v4.0

6.9

Medium

VectorAV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions benoitc hackney versions 0.13.0 through 4.0.0
Description An interpretation conflict allows Server Side Request Forgery (SSRF), a flaw where an attacker can induce the server to make requests to an unintended location. The function hackney url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney url{} record. Since OTP's uri string:parse/1 and inet:parse address/1 do not decode percent-escapes in the host, a URL containing percent-encoded characters can bypass allowlist validators that do not recognize the encoded string as an IP address. Subsequently, the normalizer decodes the host (e.g., converting %31%32%37%2E%30%2E%30%2E%31 to 127.0.0.1), enabling TCP connections to the loopback interface, cloud instance metadata services (169.254.169.254), RFC1918 networks, and local admin interfaces. This occurs because hackney:request/5 always invokes hackney url:normalize/2 without an opt-out mechanism for requests using binary or list URLs.
Recommendations Update benoitc hackney to version 4.0.1.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47076
GHSA-PJ7V-XFVX-WMJQ

Affected Products

Hackney