Security vulnerabilities in hackney dependency
The current hackney constraint (~> 1.9) pins waffle to the 1.x line, which is affected by two high-severity CVEs:
| CVE |
Title |
Severity |
Fixed in |
| CVE-2026-47075 |
CRLF Injection / HTTP Request Splitting |
High (7.5) |
4.0.1 |
| CVE-2026-47066 |
Infinite Loop (DoS) |
High |
4.0.1 |
CVE-2026-47075 allows an attacker who controls any part of the URL passed to hackney to inject raw CRLF sequences into the request target, enabling arbitrary HTTP header injection or request splitting.
Proposed fix
Bump the hackney constraint to ~> 4.0 in mix.exs, and upgrade ex_aws to >= 2.7.0 (the first version to declare hackney ~> 4.0). The existing ~> 2.1 constraint in waffle already allows this.
Breaking changes — waffle code changes required
This is not a drop-in bump. hackney 3.0.0 introduced breaking API changes that affect lib/waffle/http_client/hackney.ex directly:
Response format change
%% 1.x — body fetched separately via a connection ref
{ok, Status, Headers, ConnRef} = hackney:get(URL),
{ok, Body} = hackney:body(ConnRef, MaxLength).
%% 3.x+ — body returned directly in the response tuple
{ok, Status, Headers, Body} = hackney:get(URL).
Removed functions
| Removed |
Replacement |
hackney:body/1 |
Body now in response tuple |
hackney:body/2 |
Body now in response tuple |
hackney:stream_body/1 |
Use async mode with [async] or [{async, once}] |
Waffle currently calls :hackney.get/4 and then :hackney.body(client_ref, max_body_length) — both the pattern match on the response and the body call will need updating.
See the official hackney Migration Guide for full details.
Security vulnerabilities in hackney dependency
The current hackney constraint (
~> 1.9) pins waffle to the 1.x line, which is affected by two high-severity CVEs:CVE-2026-47075 allows an attacker who controls any part of the URL passed to hackney to inject raw CRLF sequences into the request target, enabling arbitrary HTTP header injection or request splitting.
Proposed fix
Bump the hackney constraint to
~> 4.0inmix.exs, and upgradeex_awsto>= 2.7.0(the first version to declarehackney ~> 4.0). The existing~> 2.1constraint in waffle already allows this.Breaking changes — waffle code changes required
This is not a drop-in bump. hackney 3.0.0 introduced breaking API changes that affect
lib/waffle/http_client/hackney.exdirectly:Response format change
Removed functions
hackney:body/1hackney:body/2hackney:stream_body/1[async]or[{async, once}]Waffle currently calls
:hackney.get/4and then:hackney.body(client_ref, max_body_length)— both the pattern match on the response and the body call will need updating.See the official hackney Migration Guide for full details.