benoitc hackney CRLF Injection Vulnerability Allowing HTTP Request Splitting

A CRLF injection vulnerability has been identified in the benoitc hackney HTTP client library for Erlang. This issue allows HTTP request splitting by improperly handling carriage return and line feed characters in the URL query component. Before version 4.0.1, hackney's URL construction did not percent-encode these characters as required by RFC 3986, enabling attackers to inject raw CRLF sequences. When the request is sent, these sequences are interpreted as line breaks, facilitating the injection of arbitrary HTTP headers or splitting the request into two.

Impact

Exploitation of this vulnerability leads to HTTP header injection and request splitting on any server that hackney connects to.

Reproduction

To reproduce this vulnerability, control a URL passed to the hackney library that includes unescaped CRLF sequences in the query component. When the request is sent, the injected CRLF will split the request line, allowing for header injection.

Remediation

Users can upgrade to hackney version 4.0.1 or later, where this vulnerability has been fixed.