GHSA-mp55-p8c9-rfw2

Suggest an improvement
Source
https://github.com/advisories/GHSA-mp55-p8c9-rfw2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-mp55-p8c9-rfw2/GHSA-mp55-p8c9-rfw2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mp55-p8c9-rfw2
Aliases
Published
2026-06-26T21:54:19Z
Modified
2026-06-26T22:00:10.691062066Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
Hackney has CRLF / header injection via unvalidated `domain` and `path` options
Details

Summary

CRLF injection in hackney_cookie:setcookie/3 (src/hackney_cookie.erl). The function validates Name and Value against CR/LF and control characters but concatenates the domain and path options verbatim into the output binary. If either option carries attacker-controlled data, a Host header forwarded as the cookie domain, a request URI forwarded as the cookie path, a \r\n in the value splits the Set-Cookie header and lets the attacker inject additional headers into the HTTP response.

Details

1. Asymmetric validation

Lines 27–34 of hackney_cookie.erl run binary:match on Name and Value, rejecting =, ,, ;, whitespace, \r, \n, \013, and \014. The Domain and Path options (lines 47 and 51) skip this check entirely and land straight in the result iolist:

[<<"; Domain=">>, Domain]
[<<"; Path=">>,   Path]

iolist_to_binary(...) on line 63 flattens everything and returns it to the caller.

2. Injection

A Path of <<"/x\r\nSet-Cookie: admin=1; Path=/">> produces a binary with a literal \r\n. Written into a Set-Cookie response header, the receiving HTTP parser splits it into two headers — one legitimate, one attacker-controlled.

3. Realistic trigger

Common patterns: keying the cookie domain off Host, deriving the path from the request URI, or copying a Location path into a cookie. Any of these lets a remote attacker control the injected content.

PoC

  1. Call hackney_cookie:setcookie(<<"sid">>, <<"abc">>, [{path, <<"/x\r\nSet-Cookie: admin=1; Path=/">>}]).
  2. The returned binary contains a literal \r\n followed by a second Set-Cookie: line.
  3. Write the result into a Set-Cookie response header — the client parses two headers, including admin=1.

Impact

Cookie injection / HTTP response splitting at the hackney_cookie API boundary. Affects hackney 0.9.0 through 4.0.0 wherever domain or path options are populated from request data. Exploitation can overwrite session/auth cookies, fix cookies, or strip Secure/HttpOnly flags. CVSS v4.0: 2.1 (LOW) — requires attacker-controlled input to reach the domain or path option.

Resources

  • Introduction commit: https://github.com/benoitc/hackney/commit/602d5c7f2ea4acbc83ed75230655d935a0750ebc
  • Patch commit: https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540
Database specific 
{
    "github_reviewed_at": "2026-06-26T21:54:19Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-93"
    ],
    "nvd_published_at": "2026-05-25T15:16:21Z",
    "github_reviewed": true
}
References

Affected packages

Hex / hackney

Package

Name
hackney
Purl
pkg:hex/hackney

Affected ranges

Type
SEMVER
Events
Introduced
0.9.0
Fixed
4.0.1

Affected versions

0.*
0.13.1
0.14.0
0.14.1
0.14.2
0.14.3
0.15.0
0.15.2
1.*
1.0.1
1.0.2
1.0.5
1.0.6
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.10
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.7.0
1.7.1
1.8.0
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.9.0
1.10.0
1.10.1
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.14.2
1.14.3
1.15.0
1.15.1
1.15.2
1.16.0
1.17.0
1.17.1
1.17.2
1.17.3
1.17.4
1.18.0
1.18.1
1.18.2
1.19.0
1.19.1
1.20.0
1.20.1
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
2.*
2.0.0-beta.1
2.0.0
2.0.1
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
4.*
4.0.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-mp55-p8c9-rfw2/GHSA-mp55-p8c9-rfw2.json"