hackney 4.0.1 is a security release. It fixes vulnerabilities across the
HTTP/1.1, HTTP/2, HTTP/3, WebSocket, cookie and URL handling code. There are
no API changes, so it is a drop-in upgrade from 4.0.0.
If you use hackney directly or through a library (HTTPoison, Tesla’s hackney
adapter, ExAws, and others), please upgrade.
{hackney, "4.0.1"} %% rebar
{:hackney, "~> 4.0"} # mix
Fixes
- CVE-2026-47066: infinite loop in the Alt-Svc response parser
- CVE-2026-47073: unbounded WebSocket frame, message and handshake buffers
- CVE-2026-47074: slow-drip OOM on buffered HTTP/3 responses
- CVE-2026-47071: missing timeout on a proxy TLS upgrade
- CVE-2026-47076: SSRF allowlist bypass via percent-encoded host
- CVE-2026-47072: CR/LF injection in the WebSocket upgrade request
- CVE-2026-47075: CR/LF injection in the request target
- CVE-2026-47070: cross-origin HTTP/3 redirect leaked Authorization and Cookie
- CVE-2026-47069: CR/LF injection via cookie domain and path options
This release also bumps quic to 1.4.3 and h2 to 0.6.0.
Changelog: hackney/NEWS.md at master · benoitc/hackney · GitHub
Advisories: Security Advisories · benoitc/hackney · GitHub
Hex: hackney | Hex
Thanks to PJUllrich, Ganbagana and tepel-chen for the reports, and to
maennchen for coordinating disclosure.