Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns.
The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to.
This issue affects hackney: from 2.0.0-beta.1 before 4.0.1.
AnalysisAI
Denial-of-service in benoitc's hackney Erlang HTTP client (versions 2.0.0-beta.1 through 4.0.0) allows any HTTP origin server to pin a client process at 100% CPU by returning a malformed Alt-Svc response header. The flaw is a CWE-835 infinite loop in the Alt-Svc parser, triggerable by a single byte such as '!' in the header value. No public exploit identified at time of analysis, EPSS is low (0.04%), but SSVC rates exploitation as POC and the attack is automatable; a vendor patch is available in 4.0.1.
Technical ContextAI
hackney is a widely embedded Erlang HTTP client library (e.g., used transitively by HTTPoison and many Elixir/Erlang services). The vulnerable code is src/hackney_altsvc.erl, which parses RFC 7838 Alt-Svc response headers. parse_token/2 returns the buffer unchanged when it encounters a non-token, non-whitespace, non-comma byte, and skip_comma/1 likewise returns the buffer unchanged when the leading byte is not a comma. parse_entries/2 then tail-recurses on identical input, never making forward progress - a textbook CWE-835 'Loop with Unreachable Exit Condition'. Because parse_and_cache/3 runs synchronously inside the connection process on every HTTP response, the offending Erlang scheduler thread is starved indefinitely. The fix (commit e548aba) introduces seek_next_entry/1 to advance past a malformed lead byte until the next comma, guaranteeing progress.
RemediationAI
Vendor-released patch: upgrade hackney to 4.0.1 or later, which adds the seek_next_entry/1 forward-progress guard in src/hackney_altsvc.erl (commit https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894); see the advisory at https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j. For Elixir/Erlang projects, bump the direct or transitive hackney dependency in mix.exs / rebar.config and rebuild. If you cannot upgrade immediately, compensating controls are limited because Alt-Svc is sent by the server: restrict hackney to a known allowlist of trusted origins and disallow user-controlled URLs (mitigates SSRF-style abuse but breaks general-purpose client use), terminate outbound HTTP traffic through a forward proxy that strips the Alt-Svc response header (loses any legitimate HTTP/3 upgrade hints), or wrap hackney calls in a supervised, time-bounded task so a stalled scheduler can be killed (still wastes CPU until the timer fires and does not prevent repeated triggering).
Denial of service in benoitc hackney (Erlang HTTP client) versions 2.0.0 through 4.0.0 allows a malicious WebSocket serv
Denial of service in benoitc hackney (Erlang HTTP client) 2.0.0 through 4.0.0 allows remote unauthenticated attackers to
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_
Denial of service in benoitc hackney (Erlang HTTP client) versions 0.10.0 through 4.0.0 lets a hostile SOCKS5 or HTTP CO
CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket up
SSRF allowlist bypass in hackney (Erlang HTTP client) versions 0.13.0 through before 4.0.1 allows attackers who control
HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who cont
Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or
CRLF injection in the hackney Erlang HTTP client library's hackney_cookie:setcookie/3 function enables HTTP response spl
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31686
GHSA-6cp8-v795-jr2j