📄 Description (English)
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.
This issue affects hackney: from 2.0.0 before 4.0.1.
🤖 AI Executive Summary
CVE-2026-47072 is a critical CRLF injection vulnerability in the Erlang hackney WebSocket library (versions 2.0.0-4.0.0) that allows attackers to inject arbitrary HTTP headers into WebSocket upgrade requests through unsanitized user input. This enables header injection, credential spoofing, cache poisoning, and HTTP request smuggling attacks. The vulnerability is particularly severe as it affects real-time communication protocols widely used in Saudi financial and government systems.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 29, 2026 03:30
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations relying on hackney for WebSocket communications: (1) Banking Sector (SAMA-regulated): Real-time trading platforms, payment gateways, and inter-bank communication systems using hackney could be compromised through header injection and credential spoofing, potentially leading to unauthorized transactions. (2) Government/NCA: Digital government services and secure communication channels could be poisoned or intercepted. (3) Telecom (STC, Mobily): VoIP and real-time messaging infrastructure could be exploited for call interception or message manipulation. (4) Energy Sector (ARAMCO): SCADA and industrial control systems using WebSocket communications could be targeted. (5) Healthcare: Telemedicine and patient data transmission systems could be compromised. Organizations using hackney versions 2.0.0-4.0.0 in production environments face immediate risk of man-in-the-middle attacks and data exfiltration.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Telecommunications
Energy and Utilities
Healthcare
E-commerce
Real Estate and Property Management
🎯 MITRE ATT&CK Techniques
T1071.001 - Application Layer Protocol (HTTP/WebSocket manipulation)
T1021.004 - Remote Services (WebSocket-based remote access exploitation)
T1040 - Traffic Capture or Redirection (CRLF injection for traffic manipulation)
T1556 - Modify Authentication Process (credential spoofing via header injection)
T1557.002 - Adversary-in-the-Middle (cache poisoning and request smuggling)
T1187 - Forced Authentication (header injection for auth bypass)
T1598.003 - Phishing (log poisoning for social engineering)
T1499.004 - Application Exhaustion Flood (request smuggling DoS)
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running hackney versions 2.0.0-4.0.0 across your infrastructure using dependency scanning tools
2. Isolate affected systems from production traffic if possible pending patching
3. Review WebSocket upgrade request logs for suspicious CRLF sequences or unexpected headers
PATCHING GUIDANCE:
1. Upgrade hackney to version 4.0.1 or later immediately
2. For Erlang/OTP projects: Update rebar3 or mix dependencies to hackney >= 4.0.1
3. Rebuild and redeploy all applications using hackney
4. Verify patch installation by checking hackney version in running processes
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement strict input validation on all parameters passed to hackney_ws:start_link/1 - sanitize host, path, headers, and protocols options
2. Strip CRLF characters (\r\n) and NUL bytes from all user-supplied input before passing to hackney
3. Use allowlist validation for header names and values
4. Implement WAF/proxy rules to detect and block CRLF injection patterns in WebSocket upgrade requests
5. Deploy network segmentation to limit WebSocket traffic to trusted endpoints only
DETECTION RULES:
1. Monitor for HTTP requests containing %0d%0a or \r\n in URL parameters or header values
2. Alert on WebSocket upgrade requests with unexpected or duplicate headers
3. Log all WebSocket connection attempts and review for anomalies
4. Implement IDS signatures for CRLF injection patterns in HTTP traffic
5. Monitor for cache poisoning indicators (conflicting response headers, unexpected content)
VERIFICATION:
1. Test patched systems with CRLF injection payloads to confirm mitigation
2. Review application logs for any exploitation attempts during the vulnerability window
3. Conduct security testing of WebSocket implementations post-patch
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات hackney 2.0.0-4.0.0 عبر البنية التحتية باستخدام أدوات فحص التبعيات
2. عزل الأنظمة المتأثرة عن حركة الإنتاج إن أمكن في انتظار التصحيح
3. مراجعة سجلات طلب ترقية WebSocket للتسلسلات المريبة CRLF أو الرؤوس غير المتوقعة
إرشادات التصحيح:
1. ترقية hackney إلى الإصدار 4.0.1 أو أحدث على الفور
2. لمشاريع Erlang/OTP: تحديث تبعيات rebar3 أو mix إلى hackney >= 4.0.1
3. إعادة بناء ونشر جميع التطبيقات التي تستخدم hackney
4. التحقق من تثبيت التصحيح بفحص إصدار hackney في العمليات قيد التشغيل
الضوابط التعويضية (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ التحقق الصارم من المدخلات على جميع المعاملات التي يتم تمريرها إلى hackney_ws:start_link/1 - تعقيم المضيف والمسار والرؤوس والخيارات البروتوكولية
2. إزالة أحرف CRLF (\r\n) وبايتات NUL من جميع المدخلات المزودة من قبل المستخدم قبل التمرير إلى hackney
3. استخدام التحقق من قائمة السماح لأسماء وقيم الرؤوس
4. تنفيذ قواعد WAF/proxy للكشف عن أنماط حقن CRLF وحظرها في طلبات ترقية WebSocket
5. نشر تقسيم الشبكة لتقييد حركة WebSocket إلى نقاط نهاية موثوقة فقط
قواعد الكشف:
1. مراقبة الطلبات التي تحتوي على %0d%0a أو \r\n في معاملات URL أو قيم الرؤوس
2. التنبيه على طلبات ترقية WebSocket برؤوس غير متوقعة أو مكررة
3. تسجيل جميع محاولات الاتصال بـ WebSocket ومراجعة الحالات الشاذة
4. تنفيذ توقيعات IDS لأنماط حقن CRLF في حركة HTTP
5. مراقبة مؤشرات تسمم الذاكرة المؤقتة (رؤوس الاستجابة المتضاربة والمحتوى غير المتوقع)
التحقق:
1. اختبار الأنظمة المصححة باستخدام حمولات حقن CRLF للتأكد من التخفيف
2. مراجعة سجلات التطبيق لأي محاولات استغلال أثناء نافذة الثغرة
3. إجراء اختبار أمان لتطبيقات WebSocket بعد التصحيح
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships (hackney supply chain)
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.8.2.3 - User access management and input validation controls
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset Management (identification of systems using vulnerable hackney)
SAMA CSF PR.AC-1 - Access Control (header injection could bypass authentication)
SAMA CSF PR.DS-2 - Data Security (CRLF injection enables data manipulation)
SAMA CSF DE.CM-1 - Detection and Analysis (monitoring for exploitation attempts)
SAMA CSF RS.MI-1 - Incident Response and Recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.3.1 - User registration and access rights management
ISO 27001:2022 A.8.3.2 - Privileged access rights (credential spoofing risk)
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities and exposures
ISO 27001:2022 A.14.2.1 - Information security requirements for supplier relationships
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure all system components and software are protected from known vulnerabilities
PCI DSS 6.5.1 - Injection flaws (CRLF injection is injection attack vector)
PCI DSS 10.2.1 - Implement automated audit trails for all access to cardholder data
PCI DSS 12.3 - Establish information security policy for third-party service providers
🔗 References & Sources 5
🔗
https://cna.erlef.org/cves/CVE-2026-47072.html
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Patch
Third Party Advisory
🔗
https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Patch
🔗
https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Exploit
Patch
Vendor Advisory
🔗
https://osv.dev/vulnerability/EEF-CVE-2026-47072
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Patch
Third Party Advisory
🔗
https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Patch
Vendor Advisory
📦 Affected Products / CPE 1 entries
benoitc:hackney