benoitc hackney CRLF Injection Vulnerability in WebSocket Upgrade Request

A CRLF injection vulnerability has been identified in the benoitc hackney HTTP client library, specifically in versions 2.0.0 prior to 4.0.1. This vulnerability allows HTTP request/response splitting during the WebSocket upgrade process. The issue arises because the upgrade request builder in 'src/hackney_ws.erl' concatenates user-supplied 'host', 'path', 'headers', and 'protocols' options into the HTTP request without proper sanitization, allowing attackers to inject arbitrary headers. Exploitation can lead to header injection, credential spoofing, log and cache poisoning, or request smuggling via intermediary proxies.

Impact

Exploitation of this vulnerability can result in HTTP header injection, allowing for the manipulation of WebSocket upgrade requests. This could be used to spoof authentication credentials, poison logs or caches, or smuggle requests through intermediary proxies.

Reproduction

To reproduce this vulnerability, initiate a WebSocket connection using 'hackney_ws:start_link/1' and include a header that contains CRLF sequences, such as 'X-User' with a value that includes a newline character. The injected header will be processed by the WebSocket server as a legitimate header, demonstrating the successful exploitation of the CRLF injection vulnerability.

Remediation

Users can upgrade to hackney version 4.0.1 or later, where this vulnerability has been patched.