Lucene search
K

125 matches found

EUVD
EUVD
added 2026/06/26 10:1 p.m.15 views

EUVD-2026-31691

Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes...

8.7CVSS5.8AI score0.00703EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/26 10:0 p.m.17 views

EUVD-2026-31694

Hackney has unbounded buffer accumulation in WebSocket...

8.7CVSS5.9AI score0.00825EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/26 9:59 p.m.14 views

EUVD-2026-31690

Hackney has CRLF / header injection in WebSocket upgrade request...

7.5CVSS5.8AI score0.00506EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/26 9:58 p.m.15 views

EUVD-2026-31687

Hackney has CR/LF injection in query parameter...

7.5CVSS5.8AI score0.00421EPSS
Exploits1References5
OSV
OSV
added 2026/06/26 9:57 p.m.2 views

GHSA-JQ4M-Q6P2-8GWC Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM

Summary hackneyh3:awaitresponseloop/6 in src/hackneyh3.erl accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer, not a wall-clock deadline: every received streamdata chunk, housekeeping select message, or settings frame...

8.2CVSS5.9AI score0.00703EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2026/06/26 9:57 p.m.6 views

Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM

Summary hackneyh3:awaitresponseloop/6 in src/hackneyh3.erl accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer, not a wall-clock deadline: every received streamdata chunk, housekeeping select message, or settings frame...

8.2CVSS5.9AI score0.00703EPSS
Exploits1References7Affected Software1
EUVD
EUVD
added 2026/06/26 9:56 p.m.15 views

EUVD-2026-31692

Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body...

6.1CVSS5.8AI score0.00348EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/26 9:54 p.m.13 views

EUVD-2026-31689

Hackney has SSRF allowlist bypass in hackneyurl:normalize/2 via percent-encoded host...

6.9CVSS5.8AI score0.00201EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/26 9:54 p.m.13 views

EUVD-2026-31683

Hackney has CRLF / header injection via unvalidated domain and path options...

5.3CVSS5.8AI score0.00374EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/26 9:53 p.m.13 views

EUVD-2026-31685

Hackney: ssl:connect/2 post-handshake upgrade has no timeout...

8.2CVSS5.8AI score0.00703EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/26 9:53 p.m.15 views

EUVD-2026-31686

Hackney has an infinite loop on non-token byte at start of an Alt-Svc entry...

8.7CVSS5.8AI score0.00703EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.13 views

CVE-2026-47075

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return \r or line feed \n characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar define...

7.5CVSS5.9AI score0.00421EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.12 views

CVE-2026-47070

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request...

6.1CVSS5.8AI score0.00348EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.15 views

CVE-2026-47076

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the host, so ...

6.9CVSS5.8AI score0.00201EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.19 views

CVE-2026-47072

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackneyws.erl copies the host, path, headers ExtraHeaders, and protocols options from the caller-supplied opts map into the interna...

7.5CVSS6AI score0.00506EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.10 views

CVE-2026-47077

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackneyh3:awaitresponseloop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk,...

8.2CVSS5.9AI score0.00703EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.11 views

CVE-2026-47073

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackneyws.erl imposes no upper bound on memory consumption in three code paths. First, readhandshakeresponse/3 accumulates received bytes into a growing buffer with n...

8.7CVSS5.9AI score0.00825EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.10 views

CVE-2026-47071

Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackneysocks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which...

8.2CVSS5.7AI score0.00703EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.16 views

CVE-2026-47066

Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackneyaltsvc.erl does not guarantee forward progress. When parsetoken/2 receives a non-token, non-whitespace, non-comma byte e.g. !, @, =, ...

8.7CVSS6AI score0.00703EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.10 views

CVE-2026-47067

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackneyurl.erl converts every unrecognized URL scheme to a permanent BEAM atom via binarytoatom/2. BEAM atoms are never garbage-collected and the atom table defaults to a...

8.7CVSS5.8AI score0.00703EPSS
Exploits1References1
Rows per page
Query Builder