PT-2026-43072 · Benoitc · Hackney
Benoit Chesneau
+2
·
Published
2026-05-25
·
Updated
2026-06-26
·
CVE-2026-47076
CVSS v4.0
6.9
Medium
| Vector | AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
benoitc hackney versions 0.13.0 through 4.0.0
Description
An interpretation conflict allows Server Side Request Forgery (SSRF), a flaw where an attacker can induce the server to make requests to an unintended location. The function
hackney url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney url{} record. Since OTP's uri string:parse/1 and inet:parse address/1 do not decode percent-escapes in the host, a URL containing percent-encoded characters can bypass allowlist validators that do not recognize the encoded string as an IP address. Subsequently, the normalizer decodes the host (e.g., converting %31%32%37%2E%30%2E%30%2E%31 to 127.0.0.1), enabling TCP connections to the loopback interface, cloud instance metadata services (169.254.169.254), RFC1918 networks, and local admin interfaces. This occurs because hackney:request/5 always invokes hackney url:normalize/2 without an opt-out mechanism for requests using binary or list URLs.Recommendations
Update benoitc hackney to version 4.0.1.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Hackney