Description
Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller.

This issue affects hackney: from 0.10.0 before 4.0.1.
Published: 2026-05-25
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Uncontrolled Resource Consumption vulnerability in the Hackney HTTP client occurs when a SOCKS5 proxy performs an apparently normal handshake and then stalls the TLS upgrade. The implementation incorrectly forwards the caller-supplied timeout to the TLS connection, causing ssl:connect/2 to use an infinite timeout. A process that initiates the connection will therefore block indefinitely, consuming system resources and preventing it from serving other tasks. This can lead to degraded performance or complete service interruption if an attacker repeatedly opens connections.

Affected Systems

The bug affects the Hackney library maintained by benoitc. Versions from 0.10.0 up to but not including 4.0.1 are vulnerable. Upgrading to 4.0.1 or newer eliminates the flaw.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is malicious use of a SOCKS5 proxy that acts correctly during the handshake but then stalls or sends a partial TLS ServerHello. An attacker could force a target process to hang by repeatedly establishing such connections, exhausting CPU, memory, or other process limits. Because the flaw lies in the library, it can be exploited wherever Hackney is used without additional privileges.

Generated by OpenCVE AI on May 25, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hackney to version 4.0.1 or later, where the timeout is properly forwarded during the TLS upgrade.
  • If an immediate upgrade is not viable, modify the SOCKS5 client configuration to explicitly provide a finite timeout for the TLS handshake, for example by using ssl:connect/4 or a custom wrapper that enforces a timeout.
  • Place the Hackney connection in a supervised process that terminates after a configurable inactivity period, ensuring that stalled connections do not accumulate resources over time.

Generated by OpenCVE AI on May 25, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller. This issue affects hackney: from 0.10.0 before 4.0.1.
Title SOCKS5 TLS upgrade ignores caller timeout in hackney
First Time appeared Benoitc
Benoitc hackney
Weaknesses CWE-400
CPEs cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Vendors & Products Benoitc
Benoitc hackney
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Benoitc Hackney
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:40:48.584Z

Reserved: 2026-05-18T17:28:08.322Z

Link: CVE-2026-47071

cve-icon Vulnrichment

Updated: 2026-05-26T15:48:26.504Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T15:16:22.143

Modified: 2026-05-27T13:56:30.803

Link: CVE-2026-47071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T13:00:54Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption