CVE-2026-47071
Uncontrolled Resource Consumption in hackney
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| benoitc | hackney | From 0.10.0 (inc) to 4.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Uncontrolled Resource Consumption issue in the benoitc hackney library related to its SOCKS5 transport implementation. Specifically, during the SOCKS5 negotiation phase, a caller-supplied timeout is correctly applied. However, when the connection is upgraded to TLS using ssl:connect/2, the timeout is not forwarded and defaults to infinite. As a result, a hostile SOCKS5 proxy that completes the handshake but then becomes silent or stalls during the TLS handshake can cause the connecting process to block indefinitely.
How can this vulnerability impact me? :
The impact of this vulnerability is that a malicious SOCKS5 proxy can cause a denial of service by making the connecting process block indefinitely. This uncontrolled resource consumption can lead to system resource exhaustion, potentially degrading service availability or causing application crashes.