MEDIUMπŸ‡΅πŸ‡± Wersja polska

CVE-2026-47076

CVSS 6.9v4.0pub. 2026-05-25upd. 2026-05-27

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost. This issue affects hackney: from 0.13.0 before 4.0.1.

CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Benoitc Hackney

    APP
    Benoitc
    0.13.0 – 4.0.1 (bez)
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-47077HIGH8.2ten sam produkt

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney...

CVE-2026-47067HIGH8.7ten sam produkt

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL...

CVE-2026-47071HIGH8.2ten sam produkt

Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in sr...

CVE-2026-47073HIGH8.7ten sam produkt

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The Web...

CVE-2026-47066HIGH8.7ten sam produkt

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Alloc...

CVE-2026-47076 β€” Benoitc β€” Hackney β€” MEDIUM β€” CVSS 6.9 | CVEbaza.pl