CVE-2025-1211

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-1211

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1211.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-1211

Aliases

GHSA-vq52-99r9-h5pw

Published

2025-02-11T05:15:14Z

Modified

2025-03-18T09:03:25.058628Z

Summary

[none]

Details

Versions of the package hackney before 1.21.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.

References

Affected packages

Git / github.com/benoitc/hackney

Affected ranges

Type: GIT
Repo: https://github.com/benoitc/hackney
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9594ce58fabd32cd897fc28fae937694515a3d4a

Affected versions

0.*

0.1.0

0.10.0

0.10.1

0.11.0

0.11.1

0.11.2

0.12.0

0.12.1

0.13.0

0.13.1

0.14.0

0.14.1

0.14.2

0.14.3

0.15.0

0.15.1

0.15.2

0.16.0

0.2.0

0.3.0

0.3.1

0.3.2

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.5.0

0.6.0

0.6.1

0.7.0

0.8.0

0.8.1

0.8.2

0.8.3

0.9.0

0.9.1

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.1.0

1.10.0

1.10.1

1.11.0

1.12.0

1.12.1

1.13.0

1.14.0

1.14.2

1.14.3

1.15.0

1.15.1

1.15.2

1.16.0

1.17.0

1.17.1

1.17.2

1.17.3

1.17.4

1.18.0

1.18.1

1.18.2

1.19.0

1.19.1

1.2.0

1.20.0

1.20.1

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.10

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.5.0

1.5.1

1.5.2

1.5.4

1.5.5

1.5.6

1.5.7

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.7.0

1.7.1

1.8.0

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.9.0

v1.*

v1.17.0