benoitc hackney CRLF Injection Vulnerability Allowing HTTP Response Splitting

A CRLF injection vulnerability has been identified in the benoitc hackney library, specifically in versions 0.9.0 prior to 4.0.1. This vulnerability allows for HTTP response splitting by improperly validating CRLF sequences in cookie domain and path options. The issue arises in the hackney_cookie:setcookie/3 function, which correctly sanitizes the Name and Value parameters but fails to apply the same checks to the domain and path options. As a result, an attacker can inject CRLF sequences and additional Set-Cookie headers into the HTTP response by manipulating these options.

Impact

Exploitation of this vulnerability leads to CRLF injection, allowing attackers to inject additional Set-Cookie headers into the HTTP response. This can overwrite existing cookies or introduce new ones, potentially bypassing security flags such as Secure or HttpOnly.

Reproduction

To reproduce this vulnerability, use the hackney_cookie:setcookie function with a domain or path option that includes a CRLF sequence. The injected CRLF will be interpreted by the HTTP parser as a header separator, allowing the injection of additional headers.

Remediation

Users can upgrade to hackney version 4.0.1 or later, where this vulnerability has been patched.