Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns.

The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to.

This issue affects hackney: from 2.0.0-beta.1 before 4.0.1.
Published: 2026-05-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an infinite loop in the Alt‑Svc header parser of the Erlang HTTP client hackney. When the parser receives a byte that is neither a token, whitespace, nor a comma, it returns the input unchanged and then recurses with the identical data. This tight tail‑recursive loop consumes 100 % CPU and never returns, causing the calling process to hang indefinitely.

Affected Systems

The issue affects hackney releases from 2.0.0‑beta.1 up to, but not including, 4.0.1. Any application that uses one of these versions to parse HTTP responses from arbitrary origins is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. EPSS data is not available and the flaw is not listed in CISA KEV. The attack can be carried out remotely by an attacker who controls the origin server, sending a single byte such as "Alt‑Svc: !" to the client. Because the condition is trivially satisfied, the practical risk is significant. The consequence is a frozen process and denial of service to the application using the client.

Generated by OpenCVE AI on May 25, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade hackney to version 4.0.1 or later, which eliminates the logic flaw identified as CWE‑835.
  • As a temporary workaround, configure the client to strip or ignore Alt‑Svc headers in responses to prevent the infinite loop from occurring.
  • Restrict outbound connections to trusted origins and monitor for abnormal CPU usage on clients running older vulnerable versions of hackney.

Generated by OpenCVE AI on May 25, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns. The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to. This issue affects hackney: from 2.0.0-beta.1 before 4.0.1.
Title Infinite loop in Alt-Svc header parser in hackney
First Time appeared Benoitc
Benoitc hackney
Weaknesses CWE-835
CPEs cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Vendors & Products Benoitc
Benoitc hackney
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Benoitc Hackney
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:40:41.946Z

Reserved: 2026-05-18T17:28:08.321Z

Link: CVE-2026-47066

cve-icon Vulnrichment

Updated: 2026-05-26T15:50:42.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T15:16:21.597

Modified: 2026-05-27T13:54:47.413

Link: CVE-2026-47066

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T22:00:12Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')