6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-1211

GHSA ID

GHSA-vq52-99r9-h5pw

EPSS Score

0.3023%

CWE

CWE-918

Published

2/11/2025

Updated

2/20/2025

KEV Status

Technology

Erlang

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-1211

CVE-2025-1211: Server-side Request Forgery (SSRF) in hackney

Versions of the package hackney from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-1211

GHSA ID

GHSA-vq52-99r9-h5pw

EPSS Score

0.3023%

CWE

CWE-918

Published

2/11/2025

Updated

2/20/2025

KEV Status

Technology

Erlang

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hackney	erlang	< 1.21.0	1.21.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from URL parsing order inconsistencies between URI module and Hackney. The commit diff shows critical changes to parse_url/2 logic:- 1) Renamed parse_fragment -> cut_fragment- 2) Added cut_query processing before path splitting- 3) Modified raw_path construction. The original implementation parsed fragments first (allowing '@' in queries to affect host resolution), while the patched version processes queries before userinfo. The test case added for 'http://127.0.0.1?@127.2.2.2/' confirms this was the exploitation vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** ***kn*y *rom *.*.* *r* vuln*r**l* to S*rv*r-si** R*qu*st *or**ry (SSR*) *u* to improp*r p*rsin* o* URLs *y URI *uilt-in mo*ul* *n* ***k*y. *iv*n t** URL *ttp://***.*.*.*?@***.*.*.*/, t** URI *un*tion will p*rs* *n* s** t** *os

Reasoning

T** vuln*r**ility st*ms *rom URL p*rsin* or**r in*onsist*n*i*s **tw**n URI mo*ul* *n* ***kn*y. T** *ommit *i** s*ows *riti**l ***n**s to p*rs*_url/* lo*i*:- *) R*n*m** p*rs*_*r**m*nt -> *ut_*r**m*nt- *) ***** *ut_qu*ry pro**ssin* ***or* p*t* splittin

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-1211: Server-side Request Forgery (SSRF) in hackney

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI