Description
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit.

This issue affects hackney: from 2.0.0 before 4.0.1.
Published: 2026-05-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hackney's URL parser turns any unrecognized scheme into a permanent BEAM atom that persists for the life of the VM. Because the atom table has a hard limit, an attacker can supply many unique, custom schemes and eventually exhaust the table, causing the Erlang VM to terminate with a system_limit error. This results in a denial of service that crashes any application using the affected library. The vulnerability is a classic case of Uncontrolled Resource Consumption (CWE‑770).

Affected Systems

The bug is present in the Hackney HTTP client library maintained by benoitc. It affects all releases from 2.0.0 up to but not including 4.0.1. Any Erlang or Elixir application that imports Hackney and accepts external URLs—as direct request targets, webhook callbacks, or redirect chains—could be impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates critical severity. No EPSS value is currently available, and the issue is not listed in CISA KEV, but the attack path is straightforward: an attacker can inject a payload with many unique unknown schemes via direct URLs, webhooks, or redirect Location headers. Once the atom table limit is hit, the VM crashes, taking down the entire application. The risk is high for environments where Hackney handles untrusted input or relies on external redirects. Prompt remediation is recommended to prevent a production outage.

Generated by OpenCVE AI on May 25, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hackney to version 4.0.1 or later.
  • If an upgrade is not possible, configure or patch the URL handling code to reject unknown schemes or to apply a whitelist before converting schemes to atoms, thereby preventing unlimited atom creation.
  • For redirects or webhook URLs, restrict accepted schemes to a known safe set (such as http and https) or sanitize the payload to eliminate custom schemes.

Generated by OpenCVE AI on May 25, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1.
Title Atom table exhaustion via unrecognized URL schemes in hackney
First Time appeared Benoitc
Benoitc hackney
Weaknesses CWE-770
CPEs cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Vendors & Products Benoitc
Benoitc hackney
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Benoitc Hackney
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:41:27.821Z

Reserved: 2026-05-18T17:28:08.321Z

Link: CVE-2026-47067

cve-icon Vulnrichment

Updated: 2026-05-26T15:45:07.470Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T15:16:21.740

Modified: 2026-05-27T13:52:12.510

Link: CVE-2026-47067

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T13:00:48Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling