GHSA-mp55-p8c9-rfw2
Hackney has CRLF / header injection via unvalidated `domain` and `path` options
Details
### Summary
CRLF injection in `hackney_cookie:setcookie/3` (`src/hackney_cookie.erl`). The function validates `Name` and `Value` against CR/LF and control characters but concatenates the `domain` and `path` options verbatim into the output binary. If either option carries attacker-controlled data, a `Host` header forwarded as the cookie domain, a request URI forwarded as the cookie path, a `\r\n` in the value splits the `Set-Cookie` header and lets the attacker inject additional headers into the HTTP response.
### Details
**1. Asymmetric validation**
Lines 27–34 of `hackney_cookie.erl` run `binary:match` on `Name` and `Value`, rejecting `=`, `,`, `;`, whitespace, `\r`, `\n`, `\013`, and `\014`. The `Domain` and `Path` options (lines 47 and 51) skip this check entirely and land straight in the result iolist:
```erlang [<<"; Domain=">>, Domain] [<<"; Path=">>, Path] ```
`iolist_to_binary(...)` on line 63 flattens everything and returns it to the caller.
**2. Injection**
A `Path` of `<<"/x\r\nSet-Cookie: admin=1; Path=/">>` produces a binary with a literal `\r\n`. Written into a `Set-Cookie` response header, the receiving HTTP parser splits it into two headers — one legitimate, one attacker-controlled.
**3. Realistic trigger**
Common patterns: keying the cookie domain off `Host`, deriving the path from the request URI, or copying a `Location` path into a cookie. Any of these lets a remote attacker control the injected content.
### PoC
1. Call `hackney_cookie:setcookie(<<"sid">>, <<"abc">>, [{path, <<"/x\r\nSet-Cookie: admin=1; Path=/">>}])`. 2. The returned binary contains a literal `\r\n` followed by a second `Set-Cookie:` line. 3. Write the result into a `Set-Cookie` response header — the client parses two headers, including `admin=1`.
### Impact
Cookie injection / HTTP response splitting at the `hackney_cookie` API boundary. Affects hackney 0.9.0 through 4.0.0 wherever `domain` or `path` options are populated from request data. Exploitation can overwrite session/auth cookies, fix cookies, or strip `Secure`/`HttpOnly` flags. CVSS v4.0: **2.1 (LOW)** — requires attacker-controlled input to reach the `domain` or `path` option.
## Resources
* Introduction commit: https://github.com/benoitc/hackney/commit/602d5c7f2ea4acbc83ed75230655d935a0750ebc * Patch commit: https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-47069 [ADVISORY]
- https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540 [WEB]
- https://cna.erlef.org/cves/CVE-2026-47069.html [WEB]
- https://github.com/benoitc/hackney [PACKAGE]
- https://osv.dev/vulnerability/EEF-CVE-2026-47069 [WEB]