CVE-2025-1211

Versions of the package hackney before 1.21.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://gist.github.com/snoopysecurity/996de09ec0cfd0ebdcfdda8ff515deb1
https://github.com/benoitc/hackney/commit/9594ce58fabd32cd897fc28fae937694515a3d4a
https://security.snyk.io/vuln/SNYK-HEX-HACKNEY-6516131
https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
https://gist.github.com/snoopysecurity/996de09ec0cfd0ebdcfdda8ff515deb1

Configurations

No configuration.

History

16 Mar 2025, 13:15

Type	Values Removed	Values Added
References		() https://github.com/benoitc/hackney/commit/9594ce58fabd32cd897fc28fae937694515a3d4a -
Summary		(es) Las versiones del paquete hackney a partir de la versión 0.0.0 son vulnerables a Server-side Request Forgery (SSRF) debido al análisis incorrecto de las URL por parte del módulo integrado URI y hackey. Dada la URL http://127.0.0.1?@127.2.2.2/, la función URI analizará y verá el host como 127.0.0.1 (lo cual es correcto), y hackney se referirá al host como 127.2.2.2/. Esta vulnerabilidad puede explotarse cuando los usuarios dependen de la función URL para la verificación del host.
Summary	(en) Versions of the package hackney from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.	(en) Versions of the package hackney before 1.21.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.

11 Feb 2025, 16:15

Type	Values Removed	Values Added
References	~~() https://gist.github.com/snoopysecurity/996de09ec0cfd0ebdcfdda8ff515deb1 -~~	() https://gist.github.com/snoopysecurity/996de09ec0cfd0ebdcfdda8ff515deb1 -

11 Feb 2025, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-11 05:15

Updated : 2025-03-16 13:15

NVD link : CVE-2025-1211

Mitre link : CVE-2025-1211

CVE.ORG link : CVE-2025-1211

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

6.5 /10