Hackney Server-Side Request Forgery Vulnerability

A Server-side Request Forgery (SSRF) vulnerability has been identified in the Hackney package, versions prior to 1.21.0. This vulnerability arises from improper URL parsing by the built-in URI module and Hackney itself. When the URL 'http://127.0.0.1?@127.2.2.2/' is processed, the URI module correctly identifies the host as '127.0.0.1', but Hackney mistakenly refers to the host as '127.2.2.2/'. This misinterpretation can be exploited in scenarios where users depend on the URI parsing for host validation.

Impact

Exploitation of this vulnerability allows for Server-side Request Forgery (SSRF) attacks, where an attacker can manipulate server-side requests to access internal resources or services.

Reproduction

To reproduce this vulnerability, use Hackney to send a request with a URL that includes userinfo (the part of the URL that comes before the path, typically used for authentication). The Hackney library will incorrectly parse the host, leading to a request being sent to an unintended destination. This can be demonstrated by using the Hackney HTTP client to make a GET request with the vulnerable URL format.

Remediation

Upgrade Hackney to version 1.21.0 or higher.