PT-2026-43064 · Hackney · Hackney
Benoit Chesneau
+2
·
Published
2026-05-25
·
Updated
2026-06-26
·
CVE-2026-47066
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
hackney versions 2.0.0-beta.1 through 4.0.0
Description
An infinite loop exists in the Alt-Svc response header parser within
src/hackney altsvc.erl. When the parse token/2 function receives a byte that is not a token, whitespace, or comma (such as !, @, =, or ;), it returns the input unchanged. Similarly, the skip comma/1 function returns the buffer unchanged if the first byte is not a comma. This causes the parse entries/2 function to recurse with identical data, creating a tight infinite tail-recursive loop that consumes 100% of the CPU scheduler and prevents the calling process from returning. The entry point parse and cache/3 is called synchronously during every HTTP response, meaning a single-byte Alt-Svc: ! response header from any HTTP origin can trigger the hang.Recommendations
Update hackney to version 4.0.1.
Exploit
Fix
Infinite Loop
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hackney