Skip to content

chore(deps): update [mix] hackney (~> 1.18 → ~> 4.0) [security]#193

Open
wttj-bot[bot] wants to merge 1 commit into
mainfrom
renovate/hex-hackney-vulnerability
Open

chore(deps): update [mix] hackney (~> 1.18 → ~> 4.0) [security]#193
wttj-bot[bot] wants to merge 1 commit into
mainfrom
renovate/hex-hackney-vulnerability

Conversation

@wttj-bot

@wttj-bot wttj-bot Bot commented May 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
hackney (source) prod major ~> 1.18~> 4.0

CRLF injection in cookie domain/path options in hackney

CVE-2026-47069 / EEF-CVE-2026-47069 / GHSA-mp55-p8c9-rfw2

More information

Details

Summary

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option — for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path — can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response.

This issue affects hackney: from 0.9.0 before 4.0.1.

Severity

  • CVSS Score: 2.1 / 10 (Low)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

References

This data is provided by OSV.

CR/LF injection in query parameter in hackney

CVE-2026-47075 / EEF-CVE-2026-47075 / GHSA-j9wq-vxxc-94wf

More information

Details

Summary

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request.

This issue affects hackney: from 0 before 4.0.1.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

References

This data is provided by OSV.

SOCKS5 TLS upgrade ignores caller timeout in hackney

CVE-2026-47071 / EEF-CVE-2026-47071 / GHSA-gp9c-pm5m-5cxr

More information

Details

Summary

Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller.

This issue affects hackney: from 0.10.0 before 4.0.1.

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV.

SSRF allowlist bypass via percent-encoded host in hackney

CVE-2026-47076 / EEF-CVE-2026-47076 / GHSA-pj7v-xfvx-wmjq

More information

Details

Summary

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost.

This issue affects hackney: from 0.13.0 before 4.0.1.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

References

This data is provided by OSV.

Release Notes

benoitc/hackney (hackney)

v4.0.1: hackney 4.0.1

Compare Source

Security release. Fixes 9 reported vulnerabilities (4 high, 4 medium, 1 low) plus one hardening change across the HTTP/1.1, HTTP/2, HTTP/3, WebSocket, cookie and URL handling code. No API changes, so it is a drop-in upgrade from 4.0.0.

If you use hackney directly or through a library (HTTPoison, Tesla's hackney adapter, ExAws, and others), please upgrade.

Security

High
  • CVE-2026-47066 (GHSA-6cp8): infinite loop in the Alt-Svc response parser.
  • CVE-2026-47073 (GHSA-q8jg): unbounded WebSocket frame, message and handshake buffers.
  • CVE-2026-47074 (GHSA-jq4m): slow-drip OOM on buffered HTTP/3 responses.
  • CVE-2026-47071 (GHSA-gp9c): missing timeout on a proxy TLS upgrade.
Medium
  • CVE-2026-47076 (GHSA-pj7v): SSRF allowlist bypass via percent-encoded host.
  • CVE-2026-47072 (GHSA-f9vr): CR/LF injection in the WebSocket upgrade request.
  • CVE-2026-47075 (GHSA-j9wq): CR/LF injection in the request target.
  • CVE-2026-47070 (GHSA-h73q): cross-origin HTTP/3 redirect leaked Authorization and Cookie.
Low
  • CVE-2026-47069 (GHSA-mp55): CR/LF injection via cookie domain and path options.
Hardening
  • to_atom/1 no longer falls back to list_to_atom/1, removing an atom-leak path (GHSA-6rmf, no CVE assigned).

Dependencies

  • Bump quic to 1.4.3.
  • Bump h2 to 0.6.0.

Credits

Thanks to PJUllrich, Ganbagana and tepel-chen for the reports, and to maennchen for coordinating disclosure.

Full changelog: https://github.com/benoitc/hackney/blob/master/NEWS.md

v4.0.0: hackney 4.0.0

Compare Source

Hackney 4 trims the client down. The HTTP/2 and HTTP/3 stacks are now delegated to erlang_h2 and erlang_quic, so hackney no longer ships its own framing, HPACK / QPACK codecs, control streams or state machines. The HTTP/3 path is fully RFC 9114 compliant via quic_h3, with ALPN negotiation, Alt-Svc discovery (RFC 7838), and the same hackney:request/5 API as HTTP/1.1.

The bundled metrics subsystem is gone. In its place a Go-style middleware chain runs around hackney:request/1..5, configured per request with {middleware, [Fun, ...]} or globally via application:set_env(hackney, middleware, [...]). Users plug in prometheus, telemetry or anything else without hackney owning the policy. See the Middleware Guide and the HTTP/3 Guide.

Breaking

  • Removed hackney_metrics, hackney_metrics_backend, hackney_metrics_prometheus, hackney_metrics_dummy. The metrics_backend app env is no longer read. Migration recipes for prometheus and telemetry are in guides/middleware.md. Pool state is still observable through hackney_pool:get_stats/1.
  • HTTP/2 and HTTP/3 low-level message tags and modules moved to the new libraries. The user-facing hackney:request/5 API is unchanged.

What's new

  • Middleware chain (hackney_middleware): outermost-first composition, request rewrite, response rewrite, short-circuit, per-request or global config.
  • HTTP/3 via quic_h3: pure Erlang QUIC stack, no NIFs. ALPN-negotiated, opt-in with {protocols, [http3, http2, http1]} or application:set_env(hackney, default_protocols, [http3, http2, http1]).
  • Alt-Svc auto-discovery: server Alt-Svc headers are now parsed and cached on every response (HTTP/1.1, HTTP/2 and HTTP/3), so subsequent requests can upgrade to HTTP/3 transparently. Honors clear and merges multiple Alt-Svc headers per RFC 7230 §3.2.2.
  • HTTP/2 connection-pooling stability fixes for sustained concurrent load (#​836).

Deps

  • h2 0.4.0
  • quic 1.0.0

Full changelog: https://github.com/benoitc/hackney/blob/4.0.0/NEWS.md

v3.2.1

Compare Source

Bug Fixes
  • Fix recv_timeout option being ignored for pooled connections (#​832)
  • Fix off-by-one error in HPACK decoding (#​831)
  • Fix invalid match in handle_h2_frame/2 for HTTP/2 window updates (#​829)
  • Fix binary syntax in EDoc comment to fix XML parsing error

v3.2.0

Compare Source

Refactor
  • Replace all cowlib modules with hackney-native implementations
  • Remove src/libs/ directory (all modules moved to src/)
Performance
  • HTTP/2 state machine optimizations:
    • Stream caching for recently accessed streams
    • gb_sets for lingering streams (O(log N) vs O(N) lookups)
    • IOList accumulation for header fragments
  • HPACK and QPACK header compression with O(1) static table lookups
  • WebSocket: use rand:bytes/1 instead of crypto:strong_rand_bytes/1 for mask keys
Added
  • h2spec HTTP/2 compliance testing (95% pass rate - 139/146 tests)
    • h2spec_server.erl: Minimal HTTP/2 server for compliance testing
    • h2spec_SUITE.erl: CT suite for running h2spec tests
    • Makefile target: make h2spec-test
  • HTTP/3 E2E tests against real servers
    • hackney_http3_e2e_SUITE.erl: Tests against Cloudflare, Google, quic.tech
    • Makefile targets: make http3-e2e-test, make all-e2e-test
  • HTTP/2 machine benchmarks (hackney_http2_machine_bench.erl)
Bug Fixes
  • Fix HTTP/2 flow control for body sending (use send_or_queue_data/4)
  • Fix async 204/304/HEAD responses not sending done message
  • Fix unknown HTTP/2 frame types not being ignored (RFC 7540 4.1)
  • Fix HTTP/2 frame size validation

v3.1.2

Compare Source

Dependencies
  • Bump quic dependency to 0.10.1

v3.1.1

Compare Source

Bug Fixes

  • Fix HTTP/3 Fin flag handling for HEAD requests and responses without body
  • Bump quic dependency to 0.7.1 (fixes packet number reconstruction)

Added

  • Add TLS options support in hackney_quic (verify, cacerts, cacertfile, SNI)
  • Add redirect following in hackney_h3 (follow_redirect, max_redirect options)
  • Add HTTP/3 integration and redirect test suites (36 new tests)

v3.1.0

Compare Source

Refactor

  • Replace QUIC NIF with pure Erlang implementation. HTTP/3 now works with zero external dependencies - no CMake, Go, or C compiler needed. Just rebar3 compile.

Removed

  • Remove c_src/ directory containing lsquic, BoringSSL, and NIF code (~1.3M lines of C)
  • Remove do_cmake.sh and do_quic.sh build scripts

Added

  • Add hackney_qpack.erl for QPACK header compression (RFC 9204)

Changed

  • hackney_quic:is_available/0 now always returns true (pure Erlang is always available)
  • Update documentation to reflect no C dependencies

Dependencies

  • Add quic ~>0.5.1 (pure Erlang QUIC implementation)

v3.0.3

Compare Source

Bug Fixes
  • Restore function-based streaming body support (#​821). Functions passed to send_body/2 now work correctly for iterative body streaming, supporting both stateless fun() -> {ok, Data} | eof and stateful fun(State) -> {ok, Data, NewState} | eof forms.
CI
  • Fix FreeBSD CI job by adding pcre2 package to resolve git linker error

v3.0.2

Compare Source

Bug Fixes
  • Add default Content-Type: application/octet-stream header when sending a body without explicit Content-Type (#​823). This restores 1.x behavior and follows RFC 7231 recommendations.
Dependencies

v3.0.1

Compare Source

v3.0.0

Compare Source

v2.0.1

Compare Source

v2.0.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@wttj-bot wttj-bot Bot requested a review from a team as a code owner May 25, 2026 17:07
@wttj-bot wttj-bot Bot changed the title chore(deps): update [mix] hackney (~> 1.18 → ~> 4.0) [security] chore(deps): update [mix] hackney (~> 1.18 → ~> 4.0) [security] - autoclosed May 29, 2026
@wttj-bot wttj-bot Bot closed this May 29, 2026
@wttj-bot wttj-bot Bot deleted the renovate/hex-hackney-vulnerability branch May 29, 2026 10:53
@wttj-bot wttj-bot Bot changed the title chore(deps): update [mix] hackney (~> 1.18 → ~> 4.0) [security] - autoclosed chore(deps): update [mix] hackney (~> 1.18 → ~> 4.0) [security] May 29, 2026
@wttj-bot wttj-bot Bot reopened this May 29, 2026
@wttj-bot wttj-bot Bot force-pushed the renovate/hex-hackney-vulnerability branch 2 times, most recently from 4e9ec8f to 3dd1a26 Compare May 29, 2026 12:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies renovate security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants