Skip to content

Update hackney dependency to 4.x to fix CVE-2026-47075 and CVE-2026-47066 #149

Description

@klacointe

Security vulnerabilities in hackney dependency

The current hackney constraint (~> 1.9) pins waffle to the 1.x line, which is affected by two high-severity CVEs:

CVE Title Severity Fixed in
CVE-2026-47075 CRLF Injection / HTTP Request Splitting High (7.5) 4.0.1
CVE-2026-47066 Infinite Loop (DoS) High 4.0.1

CVE-2026-47075 allows an attacker who controls any part of the URL passed to hackney to inject raw CRLF sequences into the request target, enabling arbitrary HTTP header injection or request splitting.

Proposed fix

Bump the hackney constraint to ~> 4.0 in mix.exs, and upgrade ex_aws to >= 2.7.0 (the first version to declare hackney ~> 4.0). The existing ~> 2.1 constraint in waffle already allows this.

Breaking changes — waffle code changes required

This is not a drop-in bump. hackney 3.0.0 introduced breaking API changes that affect lib/waffle/http_client/hackney.ex directly:

Response format change

%% 1.x — body fetched separately via a connection ref
{ok, Status, Headers, ConnRef} = hackney:get(URL),
{ok, Body} = hackney:body(ConnRef, MaxLength).

%% 3.x+ — body returned directly in the response tuple
{ok, Status, Headers, Body} = hackney:get(URL).

Removed functions

Removed Replacement
hackney:body/1 Body now in response tuple
hackney:body/2 Body now in response tuple
hackney:stream_body/1 Use async mode with [async] or [{async, once}]

Waffle currently calls :hackney.get/4 and then :hackney.body(client_ref, max_body_length) — both the pattern match on the response and the body call will need updating.

See the official hackney Migration Guide for full details.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions