4 matches found
CVE-2026-47072
Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackneyws.erl copies the host, path, headers ExtraHeaders, and protocols options from the caller-supplied opts map into the interna...
CVE-2026-47073 Unbounded memory consumption in WebSocket client in hackney
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackneyws.erl imposes no upper bound on memory consumption in three code paths. First, readhandshakeresponse/3 accumulates received bytes into a growing buffer with n...
CVE-2026-47072
CVE-2026-47072 affects hackney versions 2.0.0–4.0.0, where the WebSocket upgrade path is vulnerable to CRLF injection. The upgrade code copies caller-supplied host, path, headers (ExtraHeaders), and protocols options into the internal ws_data structure and then concatenates them into the HTTP/1.1...
PT-2026-43069
Name of the Vulnerable Software and Affected Versions hackney versions 2.0.0 through 4.0.0 Description Improper Neutralization of CRLF Sequences, also known as CRLF Injection, allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney ws.erl copies the host, path, headers...