Skip to main content

Hackney

10 CVEs product

Monthly

CVE-2026-47073 HIGH POC PATCH GHSA This Week

Denial of service in benoitc hackney (Erlang HTTP client) versions 2.0.0 through 4.0.0 allows a malicious WebSocket server to exhaust client memory via three unbounded buffer paths in src/hackney_ws.erl. An attacker controlling the server the hackney client connects to can drive the Erlang VM to OOM by streaming bytes without terminator, declaring a giant RFC 6455 frame length, or sending endless non-final continuation fragments. Publicly available exploit code exists per SSVC, EPSS is low at 0.09%, and a vendor patch is available in 4.0.1.

Denial Of Service Hackney
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-47067 HIGH POC PATCH GHSA This Week

Denial of service in benoitc hackney (Erlang HTTP client) 2.0.0 through 4.0.0 allows remote unauthenticated attackers to crash the BEAM VM by supplying URLs with attacker-chosen scheme prefixes, exhausting the non-garbage-collected atom table (default limit 1,048,576). Exploitation is automatable per SSVC and affects any application that parses untrusted URLs via hackney - including request targets, configured webhook URLs, or Location redirect headers. No public exploit identified at time of analysis and EPSS is low (0.04%), but a vendor patch is available in 4.0.1.

Denial Of Service Hackney
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-47072 MEDIUM POC PATCH GHSA This Month

CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket upgrade requests when caller-supplied options - host, path, ExtraHeaders, or protocols - contain unsanitized user input. The vulnerable code in src/hackney_ws.erl splices these values verbatim via binary concatenation into a raw HTTP/1.1 upgrade request with no CR, LF, or NUL filtering at any of the four injection sites. No active exploitation is confirmed (not in CISA KEV), though SSVC assesses exploitation status as 'poc' and the fix commit includes a functional test that doubles as a proof-of-concept; EPSS remains very low at 0.05% (15th percentile), consistent with an indirect, application-mediated attack path rather than mass exploitation.

RCE Hackney
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-47076 MEDIUM POC PATCH GHSA This Month

SSRF allowlist bypass in hackney (Erlang HTTP client) versions 0.13.0 through before 4.0.1 allows attackers who control URL input to circumvent application-level SSRF protections by supplying percent-encoded IP addresses as hostnames. The parser differential lies in hackney_url:normalize/2 decoding the host component post-parse: OTP's uri_string:parse/1 and inet:parse_address/1 see %31%36%39%2E%32%35%34%2E%31%36%39%2E%32%35%34 as a non-IP string (allowlist passes), while hackney then decodes it to 169.254.169.254 and establishes the TCP connection. A proof-of-concept exists per SSVC assessment; no active exploitation is confirmed in CISA KEV, and EPSS is very low at 0.01% (2nd percentile).

SSRF Hackney
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-47070 MEDIUM POC PATCH GHSA This Month

Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or compromised redirect target to capture Authorization, Cookie, and Proxy-Authorization headers forwarded verbatim by the HTTP/3 redirect handler. The hackney_h3.erl module, introduced for HTTP/3 support, omitted the cross-origin credential-stripping logic (maybe_strip_auth_on_redirect/2) that was added to the main hackney.erl module following CVE-2018-1000007, creating a feature-parity gap exploitable when clients use follow_redirect with HTTP/3 and credential headers. No active exploitation is confirmed (not in CISA KEV), but SSVC assessment confirms a proof-of-concept exists; EPSS is low at 0.04% (13th percentile), consistent with targeted rather than opportunistic exploitation.

Information Disclosure Open Redirect Hackney
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-47075 MEDIUM POC PATCH GHSA This Month

HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who controls URL input to inject arbitrary HTTP headers or split HTTP/1.1 requests by embedding raw carriage return (\r) or line feed (\n) characters in the query string. The root cause is that hackney_url:make_url/3 passes the query binary directly into the HTTP/1.1 request target without percent-encoding RFC 3986-prohibited characters, violating the grammar defined in RFC 3986 §3.4. All hackney versions from 0 through 4.0.0 are affected; a proof-of-concept exists per SSVC assessment, though no active exploitation is confirmed and the EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability at time of analysis.

RCE Hackney
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-47077 HIGH POC PATCH GHSA This Week

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame - it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.

Denial Of Service Hackney
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-47071 HIGH POC PATCH GHSA This Week

Denial of service in benoitc hackney (Erlang HTTP client) versions 0.10.0 through 4.0.0 lets a hostile SOCKS5 or HTTP CONNECT proxy hang the connecting Erlang process indefinitely during the TLS upgrade phase. Because the caller-supplied timeout was not forwarded to ssl:connect/2, which defaults to infinity, recv_timeout and connect_timeout options are silently bypassed. Publicly available exploit code exists per SSVC, EPSS is low (0.04%), and a vendor patch is available in 4.0.1.

Denial Of Service Hackney
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-47066 HIGH POC PATCH GHSA This Week

Denial-of-service in benoitc's hackney Erlang HTTP client (versions 2.0.0-beta.1 through 4.0.0) allows any HTTP origin server to pin a client process at 100% CPU by returning a malformed Alt-Svc response header. The flaw is a CWE-835 infinite loop in the Alt-Svc parser, triggerable by a single byte such as '!' in the header value. No public exploit identified at time of analysis, EPSS is low (0.04%), but SSVC rates exploitation as POC and the attack is automatable; a vendor patch is available in 4.0.1.

Denial Of Service Hackney
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-47069 LOW POC PATCH GHSA Monitor

CRLF injection in the hackney Erlang HTTP client library's hackney_cookie:setcookie/3 function enables HTTP response splitting against applications using versions 0.9.0 through before 4.0.1. While the function correctly validates the Name and Value cookie arguments against CRLF and control characters, it concatenates the domain and path options verbatim into the output iolist with no equivalent check, creating an injection point. An attacker who can influence the domain or path values passed to that function - for example, by submitting a crafted Host header or URL path that an application forwards directly into the cookie-setting call - can inject arbitrary additional Set-Cookie headers into the HTTP response. No public exploit identified at time of analysis per KEV absence, though SSVC confirms a proof-of-concept exists.

Code Injection Hackney
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Denial of service in benoitc hackney (Erlang HTTP client) versions 2.0.0 through 4.0.0 allows a malicious WebSocket server to exhaust client memory via three unbounded buffer paths in src/hackney_ws.erl. An attacker controlling the server the hackney client connects to can drive the Erlang VM to OOM by streaming bytes without terminator, declaring a giant RFC 6455 frame length, or sending endless non-final continuation fragments. Publicly available exploit code exists per SSVC, EPSS is low at 0.09%, and a vendor patch is available in 4.0.1.

Denial Of Service Hackney
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Denial of service in benoitc hackney (Erlang HTTP client) 2.0.0 through 4.0.0 allows remote unauthenticated attackers to crash the BEAM VM by supplying URLs with attacker-chosen scheme prefixes, exhausting the non-garbage-collected atom table (default limit 1,048,576). Exploitation is automatable per SSVC and affects any application that parses untrusted URLs via hackney - including request targets, configured webhook URLs, or Location redirect headers. No public exploit identified at time of analysis and EPSS is low (0.04%), but a vendor patch is available in 4.0.1.

Denial Of Service Hackney
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket upgrade requests when caller-supplied options - host, path, ExtraHeaders, or protocols - contain unsanitized user input. The vulnerable code in src/hackney_ws.erl splices these values verbatim via binary concatenation into a raw HTTP/1.1 upgrade request with no CR, LF, or NUL filtering at any of the four injection sites. No active exploitation is confirmed (not in CISA KEV), though SSVC assesses exploitation status as 'poc' and the fix commit includes a functional test that doubles as a proof-of-concept; EPSS remains very low at 0.05% (15th percentile), consistent with an indirect, application-mediated attack path rather than mass exploitation.

RCE Hackney
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

SSRF allowlist bypass in hackney (Erlang HTTP client) versions 0.13.0 through before 4.0.1 allows attackers who control URL input to circumvent application-level SSRF protections by supplying percent-encoded IP addresses as hostnames. The parser differential lies in hackney_url:normalize/2 decoding the host component post-parse: OTP's uri_string:parse/1 and inet:parse_address/1 see %31%36%39%2E%32%35%34%2E%31%36%39%2E%32%35%34 as a non-IP string (allowlist passes), while hackney then decodes it to 169.254.169.254 and establishes the TCP connection. A proof-of-concept exists per SSVC assessment; no active exploitation is confirmed in CISA KEV, and EPSS is very low at 0.01% (2nd percentile).

SSRF Hackney
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or compromised redirect target to capture Authorization, Cookie, and Proxy-Authorization headers forwarded verbatim by the HTTP/3 redirect handler. The hackney_h3.erl module, introduced for HTTP/3 support, omitted the cross-origin credential-stripping logic (maybe_strip_auth_on_redirect/2) that was added to the main hackney.erl module following CVE-2018-1000007, creating a feature-parity gap exploitable when clients use follow_redirect with HTTP/3 and credential headers. No active exploitation is confirmed (not in CISA KEV), but SSVC assessment confirms a proof-of-concept exists; EPSS is low at 0.04% (13th percentile), consistent with targeted rather than opportunistic exploitation.

Information Disclosure Open Redirect Hackney
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who controls URL input to inject arbitrary HTTP headers or split HTTP/1.1 requests by embedding raw carriage return (\r) or line feed (\n) characters in the query string. The root cause is that hackney_url:make_url/3 passes the query binary directly into the HTTP/1.1 request target without percent-encoding RFC 3986-prohibited characters, violating the grammar defined in RFC 3986 §3.4. All hackney versions from 0 through 4.0.0 are affected; a proof-of-concept exists per SSVC assessment, though no active exploitation is confirmed and the EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability at time of analysis.

RCE Hackney
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame - it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.

Denial Of Service Hackney
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Denial of service in benoitc hackney (Erlang HTTP client) versions 0.10.0 through 4.0.0 lets a hostile SOCKS5 or HTTP CONNECT proxy hang the connecting Erlang process indefinitely during the TLS upgrade phase. Because the caller-supplied timeout was not forwarded to ssl:connect/2, which defaults to infinity, recv_timeout and connect_timeout options are silently bypassed. Publicly available exploit code exists per SSVC, EPSS is low (0.04%), and a vendor patch is available in 4.0.1.

Denial Of Service Hackney
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Denial-of-service in benoitc's hackney Erlang HTTP client (versions 2.0.0-beta.1 through 4.0.0) allows any HTTP origin server to pin a client process at 100% CPU by returning a malformed Alt-Svc response header. The flaw is a CWE-835 infinite loop in the Alt-Svc parser, triggerable by a single byte such as '!' in the header value. No public exploit identified at time of analysis, EPSS is low (0.04%), but SSVC rates exploitation as POC and the attack is automatable; a vendor patch is available in 4.0.1.

Denial Of Service Hackney
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

CRLF injection in the hackney Erlang HTTP client library's hackney_cookie:setcookie/3 function enables HTTP response splitting against applications using versions 0.9.0 through before 4.0.1. While the function correctly validates the Name and Value cookie arguments against CRLF and control characters, it concatenates the domain and path options verbatim into the output iolist with no equivalent check, creating an injection point. An attacker who can influence the domain or path values passed to that function - for example, by submitting a crafted Host header or URL path that an application forwards directly into the cookie-setting call - can inject arbitrary additional Set-Cookie headers into the HTTP response. No public exploit identified at time of analysis per KEV absence, though SSVC confirms a proof-of-concept exists.

Code Injection Hackney
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy