CVE-2025-1211 Information

Feb 12, 2025 cve

Description

Versions of the package hackney from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/ the URI function will parse and see the host as 127.0.0.1 (which is correct) and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.

Reference

https://gist.github.com/snoopysecurity/996de09ec0cfd0ebdcfdda8ff515deb1 https://gist.github.com/snoopysecurity/996de09ec0cfd0ebdcfdda8ff515deb1 https://security.snyk.io/vuln/SNYK-HEX-HACKNEY-6516131 https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

Share on: