6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-1211

GHSA ID

GHSA-vq52-99r9-h5pw

EPSS Score

0.3023%

CWE

CWE-918

Published

2/11/2025

Updated

2/20/2025

KEV Status

Technology

Erlang

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-1211

CVE-2025-1211: Server-side Request Forgery (SSRF) in hackney

Versions of the package hackney from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-1211

CVE-2025-1211:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-1211

GHSA ID

GHSA-vq52-99r9-h5pw

EPSS Score

0.3023%

CWE

CWE-918

Published

2/11/2025

Updated

2/20/2025

KEV Status

Technology

Erlang

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hackney	erlang	< 1.21.0	1.21.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from URL parsing order inconsistencies between URI module and Hackney. The commit diff shows critical changes to parse_url/2 logic:- 1) Renamed parse_fragment -> cut_fragment- 2) Added cut_query processing before path splitting- 3) Modified raw_path construction. The original implementation parsed fragments first (allowing '@' in queries to affect host resolution), while the patched version processes queries before userinfo. The test case added for 'http://127.0.0.1?@127.2.2.2/' confirms this was the exploitation vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-1211: Server-side Request Forgery (SSRF) in hackney

CVE-2025-1211:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

6.5

CVE-2025-1211: Server-side Request Forgery (SSRF) in hackney

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI