Executive Summary

This vulnerability exists in the benoitc hackney library, specifically in its URL parser located in src/hackney_url.erl. The parser converts every unrecognized URL scheme into a permanent BEAM atom using the binary_to_atom/2 function. Since BEAM atoms are never garbage-collected and the atom table has a fixed limit of 1,048,576 entries, an attacker can supply URLs with attacker-chosen scheme prefixes to exhaust this atom table.

When the atom table is exhausted, it causes the entire BEAM virtual machine (VM) to crash with a system_limit error. This can happen through direct request targets, configured webhook URLs, or Location headers followed during redirects.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. By exhausting the atom table, an attacker can crash the entire BEAM VM running the hackney library, causing the application or service relying on it to become unavailable.

This can disrupt normal operations, potentially leading to downtime, loss of service, and degraded user experience.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual or excessive creation of BEAM atoms related to URL schemes, which may indicate attempts to exhaust the atom table.

A proof-of-concept involves repeatedly parsing URLs with unique schemes (e.g., aaaa://x, aaab://x, etc.) that steadily increase the atom count until the BEAM VM crashes.

To detect exploitation attempts on your system, you can monitor logs or network traffic for requests containing unusual or numerous unique URL scheme prefixes, especially in request targets, webhook URLs, or redirect Location headers.

Specific commands are not provided in the available resources, but you might consider Erlang VM introspection commands to monitor atom table usage, such as using `erlang:system_info(atom_count)` in the Erlang shell to check the current number of atoms.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the hackney library to version 4.0.1 or later, where the vulnerability has been fixed.

The fix changes the URL parser to use `binary_to_existing_atom` instead of `binary_to_atom`, preventing the creation of new atoms for unrecognized URL schemes and thus avoiding atom table exhaustion.

Until the upgrade can be applied, consider restricting or validating incoming URLs to prevent attacker-controlled unique scheme prefixes from being processed.

Useful 0 Not Useful 0