Skip to main content

hackney CVE-2026-47067

| EUVDEUVD-2026-31691 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-25 EEF GHSA-9653-rcfr-5c62
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 09:38 vuln.today
Analysis Generated
Jun 08, 2026 - 09:38 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
8.7 (HIGH)
CVE Published
May 25, 2026 - 14:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes - directly as request targets, as configured webhook URLs, or via Location headers followed during redirects - can exhaust the atom table and crash the entire BEAM VM with system_limit.

This issue affects hackney: from 2.0.0 before 4.0.1.

AnalysisAI

Denial of service in benoitc hackney (Erlang HTTP client) 2.0.0 through 4.0.0 allows remote unauthenticated attackers to crash the BEAM VM by supplying URLs with attacker-chosen scheme prefixes, exhausting the non-garbage-collected atom table (default limit 1,048,576). Exploitation is automatable per SSVC and affects any application that parses untrusted URLs via hackney - including request targets, configured webhook URLs, or Location redirect headers. No public exploit identified at time of analysis and EPSS is low (0.04%), but a vendor patch is available in 4.0.1.

Technical ContextAI

hackney is a widely-used HTTP client library for Erlang/Elixir applications. The root cause (CWE-770: Allocation of Resources Without Limits or Throttling) lives in src/hackney_url.erl, where parse_url/1 invoked binary_to_atom/2 on the lowercased URL scheme. In the BEAM (Erlang virtual machine), atoms are interned into a global, never-garbage-collected table whose default ceiling is 1,048,576 entries; once exhausted, the VM aborts with a system_limit error and the entire Erlang node terminates. Because hackney_url is reachable any time the library parses a URL - including indirectly via Location headers during automatic redirect following - attacker-controlled scheme strings are converted into permanent atoms one per unique scheme observed. The upstream fix swaps binary_to_atom for binary_to_existing_atom with a binary fallback, so unknown schemes never mint new atoms and are simply rejected as unsupported_scheme downstream.

RemediationAI

Vendor-released patch: upgrade hackney to 4.0.1 or later, which replaces binary_to_atom with binary_to_existing_atom in hackney_url:parse_url so unknown schemes remain as binaries (commit 31f6f0e27e096ad88743dfded4f030a3ee74972e). See the advisory at https://github.com/benoitc/hackney/security/advisories/GHSA-9653-rcfr-5c62 for guidance. Where immediate upgrade is not possible, compensating controls include disabling automatic redirect following in hackney requests (trade-off: callers must handle 3xx responses manually), validating and allow-listing URL schemes (e.g. only http/https) before passing user-supplied URLs or webhook targets to hackney (trade-off: rejects legitimate uncommon schemes), and increasing the BEAM atom table limit via the +t emulator flag to delay exhaustion (trade-off: only buys time, does not prevent the underlying leak and increases memory ceiling). Auditing all code paths that feed externally influenced URLs into hackney is also recommended.

CVE-2026-47073 HIGH POC
8.7 May 25

Denial of service in benoitc hackney (Erlang HTTP client) versions 2.0.0 through 4.0.0 allows a malicious WebSocket serv

CVE-2026-47066 HIGH POC
8.7 May 25

Denial-of-service in benoitc's hackney Erlang HTTP client (versions 2.0.0-beta.1 through 4.0.0) allows any HTTP origin s

CVE-2026-47077 HIGH POC
8.2 May 25

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_

CVE-2026-47071 HIGH POC
8.2 May 25

Denial of service in benoitc hackney (Erlang HTTP client) versions 0.10.0 through 4.0.0 lets a hostile SOCKS5 or HTTP CO

CVE-2026-47072 MEDIUM POC
6.9 May 25

CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket up

CVE-2026-47076 MEDIUM POC
6.9 May 25

SSRF allowlist bypass in hackney (Erlang HTTP client) versions 0.13.0 through before 4.0.1 allows attackers who control

CVE-2026-47075 MEDIUM POC
6.8 May 25

HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who cont

CVE-2026-47070 MEDIUM POC
6.0 May 25

Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or

CVE-2026-47069 LOW POC
2.1 May 25

CRLF injection in the hackney Erlang HTTP client library's hackney_cookie:setcookie/3 function enables HTTP response spl

Share

CVE-2026-47067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy