Skip to main content

hackney EUVDEUVD-2026-31685

| CVE-2026-47071 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-25 EEF GHSA-gp9c-pm5m-5cxr
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 09:57 vuln.today
Analysis Generated
Jun 08, 2026 - 09:57 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
8.2 (HIGH)
CVE Published
May 25, 2026 - 14:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller.

This issue affects hackney: from 0.10.0 before 4.0.1.

AnalysisAI

Denial of service in benoitc hackney (Erlang HTTP client) versions 0.10.0 through 4.0.0 lets a hostile SOCKS5 or HTTP CONNECT proxy hang the connecting Erlang process indefinitely during the TLS upgrade phase. Because the caller-supplied timeout was not forwarded to ssl:connect/2, which defaults to infinity, recv_timeout and connect_timeout options are silently bypassed. Publicly available exploit code exists per SSVC, EPSS is low (0.04%), and a vendor patch is available in 4.0.1.

Technical ContextAI

hackney is a widely used HTTP client library for Erlang/OTP, frequently pulled in transitively by Elixir HTTP stacks. The bug sits in src/hackney_socks5.erl (and analogously in src/hackney_http_connect.erl) where, after the SOCKS5 or HTTP CONNECT handshake completes, the TCP socket is upgraded to TLS via the two-argument ssl:connect(Socket, SSLOpts) form. Erlang's ssl:connect/2 defaults its timeout to infinity, so the Timeout variable in scope at the call site is never propagated to the TLS handshake. This is a classic CWE-400 Uncontrolled Resource Consumption issue: the resource exhausted is the calling Erlang process and its file descriptor, which are pinned to a stalled handshake despite explicit caller-supplied connect_timeout / recv_timeout values. Affected CPE is cpe:2.3:a:benoitc:hackney:* across all builds from 0.10.0 up to (but not including) 4.0.1.

RemediationAI

Upgrade to hackney 4.0.1, which forwards the caller's Timeout to ssl:connect/3 in both the SOCKS5 and HTTP CONNECT transports (see commit 5ccdab725c561a6f03d05a51f2d0664f98236dae and advisory GHSA-gp9c-pm5m-5cxr at https://github.com/benoitc/hackney/security/advisories/GHSA-gp9c-pm5m-5cxr). If immediate upgrade is not possible, restrict outbound proxy usage to trusted, operator-controlled SOCKS5/HTTPS proxies and reject user-supplied proxy URLs at the application layer - the trade-off is loss of any feature that lets end users choose an arbitrary proxy. As a defense-in-depth control, enforce a per-request supervisor or hard wall-clock kill (e.g., wrap calls in a Task with Task.await/2 timeout, or use a circuit breaker with a max-in-flight budget) so a stalled process cannot accumulate; the side effect is that legitimate slow handshakes will also be cancelled. Do not rely on connect_timeout or recv_timeout alone on vulnerable versions - they are bypassed during the TLS upgrade phase.

CVE-2026-47073 HIGH POC
8.7 May 25

Denial of service in benoitc hackney (Erlang HTTP client) versions 2.0.0 through 4.0.0 allows a malicious WebSocket serv

CVE-2026-47067 HIGH POC
8.7 May 25

Denial of service in benoitc hackney (Erlang HTTP client) 2.0.0 through 4.0.0 allows remote unauthenticated attackers to

CVE-2026-47066 HIGH POC
8.7 May 25

Denial-of-service in benoitc's hackney Erlang HTTP client (versions 2.0.0-beta.1 through 4.0.0) allows any HTTP origin s

CVE-2026-47077 HIGH POC
8.2 May 25

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_

CVE-2026-47072 MEDIUM POC
6.9 May 25

CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket up

CVE-2026-47076 MEDIUM POC
6.9 May 25

SSRF allowlist bypass in hackney (Erlang HTTP client) versions 0.13.0 through before 4.0.1 allows attackers who control

CVE-2026-47075 MEDIUM POC
6.8 May 25

HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who cont

CVE-2026-47070 MEDIUM POC
6.0 May 25

Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or

CVE-2026-47069 LOW POC
2.1 May 25

CRLF injection in the hackney Erlang HTTP client library's hackney_cookie:setcookie/3 function enables HTTP response spl

Share

EUVD-2026-31685 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy