Benoitc Hackney Interpretation Conflict Vulnerability Allowing Server-Side Request Forgery

A vulnerability in the Benoitc Hackney HTTP client library, specifically in versions 0.13.0 prior to 4.0.1, allows for Server-Side Request Forgery (SSRF) by exploiting an interpretation conflict in how URLs are normalized. The issue arises because the normalization process decodes percent-encoded host components after the URL has been validated against an allowlist. This allows an attacker to craft a URL that bypasses the allowlist and redirects requests to internal services or metadata endpoints.

Impact

This vulnerability allows for unauthorized SSRF by bypassing the standard Erlang allowlist validation, enabling attackers to access internal resources or metadata services that are normally protected.

Reproduction

To reproduce this vulnerability, send a request using Hackney's `request/5` function with a URL that contains a percent-encoded host representing an IP address, such as `http://%31%32%37%2E%30%2E%30%2E%31/`. The `normalize/2` function will decode the host to `127.0.0.1`, and the request will be sent to the loopback address, effectively bypassing any SSRF allowlist checks.

Remediation

Users can upgrade to Hackney version 4.0.1 or later, where this vulnerability has been patched.