CVE-2025-1211 MEDIUM

CVE-2025-1211

Vendor N/A

Product hackney

Weakness CWE-918 · SSRF

Published February 11, 2025

Last update March 16, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L/E:P

What the vulnerability does

01Description

Versions of the package hackney before 1.21.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.

Key dates

02Disclosure timeline

February 11, 2025 CVE published

March 16, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-1211

Related vulnerabilities

CVE-2025-1211

01Description

02Disclosure timeline

03References

04Related CVE