CVE-2025-1211
📋 TL;DR
This SSRF vulnerability in hackney versions before 1.21.0 allows attackers to bypass URL parsing and make requests to internal systems. It affects applications using hackney for HTTP requests with URL validation. The vulnerability occurs due to inconsistent URL parsing between URI module and hackney.
💻 Affected Systems
- hackney
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, sensitive APIs, cloud metadata endpoints, or pivot to internal networks leading to data exfiltration or further compromise.
Likely Case
Unauthorized access to internal HTTP services, port scanning of internal networks, or accessing cloud instance metadata.
If Mitigated
Limited to services accessible from the vulnerable server with proper network segmentation and authentication.
🎯 Exploit Status
Exploit requires user-controlled URL input. Public PoC available in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.21.0
Vendor Advisory: https://github.com/benoitc/hackney/commit/9594ce58fabd32cd897fc28fae937694515a3d4a
Restart Required: Yes
Instructions:
1. Update hackney dependency to version 1.21.0 or later. 2. Update mix.exs or rebar.config. 3. Run mix deps.get or rebar3 compile. 4. Restart application.
🔧 Temporary Workarounds
Input validation and sanitization
allValidate and sanitize all URL inputs before passing to hackney
Network restrictions
allImplement outbound firewall rules to restrict hackney requests to trusted domains
🧯 If You Can't Patch
- Implement strict input validation for all URL parameters
- Deploy network segmentation and restrict outbound connections from vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check hackney version in mix.lock or rebar.lock. If version < 1.21.0, system is vulnerable.Check Version:
mix deps | grep hackney OR rebar3 tree | grep hackneyVerify Fix Applied:
Verify hackney version is 1.21.0 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from application servers
- Requests to internal IP addresses or cloud metadata endpoints
Network Indicators:
- HTTP requests with @ symbols in URLs
- Requests from application servers to unexpected internal destinations
SIEM Query:
source="application_logs" AND (url CONTAINS "@" OR dest_ip IN [internal_ranges])🔗 References
- https://gist.github.com/snoopysecurity/996de09ec0cfd0ebdcfdda8ff515deb1
- https://github.com/benoitc/hackney/commit/9594ce58fabd32cd897fc28fae937694515a3d4a
- https://security.snyk.io/vuln/SNYK-HEX-HACKNEY-6516131
- https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
- https://gist.github.com/snoopysecurity/996de09ec0cfd0ebdcfdda8ff515deb1
