CVE-2026-47071
Analyzed Analyzed - Analysis Complete
Uncontrolled Resource Consumption in hackney

Publication date: 2026-05-25

Last updated on: 2026-05-27

Assigner: EEF

Description
Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller. This issue affects hackney: from 0.10.0 before 4.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-27
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-47071
EUVD
EUVD-2026-31685
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
benoitc hackney From 0.10.0 (inc) to 4.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability causes uncontrolled resource consumption leading to denial-of-service conditions by blocking Erlang processes indefinitely during TLS handshake with a hostile SOCKS5 proxy.

While the CVE description and resources detail the technical impact and availability risk, there is no explicit information on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is an Uncontrolled Resource Consumption issue in the benoitc hackney library related to its SOCKS5 transport implementation. Specifically, during the SOCKS5 negotiation phase, a caller-supplied timeout is correctly applied. However, when the connection is upgraded to TLS using ssl:connect/2, the timeout is not forwarded and defaults to infinite. As a result, a hostile SOCKS5 proxy that completes the handshake but then becomes silent or stalls during the TLS handshake can cause the connecting process to block indefinitely.

Impact Analysis

The impact of this vulnerability is that a malicious SOCKS5 proxy can cause a denial of service by making the connecting process block indefinitely. This uncontrolled resource consumption can lead to system resource exhaustion, potentially degrading service availability or causing application crashes.

Detection Guidance

This vulnerability causes the connecting Erlang process and socket to block indefinitely during the TLS handshake upgrade phase when communicating with a hostile SOCKS5 proxy that stalls or sends partial TLS ServerHello messages.

Detection can involve monitoring for Erlang processes related to hackney connections that remain in a blocked or hung state for unusually long periods, especially during SOCKS5 proxy connections.

You can use system and Erlang-specific commands to identify stuck processes or sockets:

  • Use `ps` or equivalent to find Erlang processes and check for high resource usage or hung states.
  • Within the Erlang shell, use `process_info(Pid)` on suspected PIDs to check their current status and message queue length.
  • Use network tools like `netstat` or `ss` to identify open sockets that have been established for an unusually long time without data transfer.
  • Monitor logs for repeated or stalled SOCKS5 proxy connections or TLS handshake failures.
Mitigation Strategies

The primary mitigation is to upgrade the hackney library to version 4.0.1 or later, where the vulnerability has been fixed by forwarding the caller's timeout to the TLS upgrade process.

If upgrading immediately is not possible, consider implementing network-level protections such as limiting connections to trusted SOCKS5 proxies and monitoring for stalled TLS handshakes.

Additionally, configure timeouts and resource limits at the system or application level to detect and terminate hung connections or processes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47071. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart