Lucene search
K
BenoitcHackney2.0.0

5 matches found

CVE
CVE
added 2026/05/25 2:0 p.m.39 views

CVE-2026-47067

Affected software: hackney (Erlang HTTP client). Vulnerability description: The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected, and the atom table maxes out at 1,048,576 entries. An att...

8.7CVSS5.8AI score0.00703EPSS
CVE
CVE
added 2026/05/25 2:0 p.m.35 views

CVE-2026-47073

CVE-2026-47073 affects hackney WebSocket client (src/hackney_ws.erl) causing unbounded memory growth via three paths: read_handshake_response/3 accumulates an unbounded buffer due to lack of size cap; parse_payload/9 and parse_active_payload/8 do not enforce a maximum frame payload length; and fr...

8.7CVSS5.9AI score0.00825EPSS
CVE
CVE
added 2026/05/25 2:0 p.m.27 views

CVE-2026-47072

CVE-2026-47072 affects hackney versions 2.0.0–4.0.0, where the WebSocket upgrade path is vulnerable to CRLF injection. The upgrade code copies caller-supplied host, path, headers (ExtraHeaders), and protocols options into the internal ws_data structure and then concatenates them into the HTTP/1.1...

7.5CVSS6AI score0.00506EPSS
CVE
CVE
added 2026/05/25 2:0 p.m.25 views

CVE-2026-47077

The CVE affects hackney (versions 2.0.0–4.0.0) due to an unbounded in-memory accumulation in hackney_h3:await_response_loop/6, where HTTP/3 response chunks are buffered without a cap. A malicious server can keep sending small chunks, preventing loop termination and exhausting the BEAM heap, leadi...

8.2CVSS5.9AI score0.00703EPSS
CVE
CVE
added 2026/05/25 2:0 p.m.20 views

CVE-2026-47066

CVE-2026-47066 describes an Infinite Loop in the Alt-Svc header parser of benoitc’s hackney. The vulnerable component is the Alt-Svc response header parser (src/hackney_altsvc.erl); when parse_token/2 receives certain inputs, it may return the input unchanged, and skip_comma/1 can fail to progres...

8.7CVSS6AI score0.00703EPSS