PT-2026-43064 · Hackney · Hackney

Benoit Chesneau

+2

·

Published

2026-05-25

·

Updated

2026-06-26

·

CVE-2026-47066

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions hackney versions 2.0.0-beta.1 through 4.0.0
Description An infinite loop exists in the Alt-Svc response header parser within src/hackney altsvc.erl. When the parse token/2 function receives a byte that is not a token, whitespace, or comma (such as !, @, =, or ;), it returns the input unchanged. Similarly, the skip comma/1 function returns the buffer unchanged if the first byte is not a comma. This causes the parse entries/2 function to recurse with identical data, creating a tight infinite tail-recursive loop that consumes 100% of the CPU scheduler and prevents the calling process from returning. The entry point parse and cache/3 is called synchronously during every HTTP response, meaning a single-byte Alt-Svc: ! response header from any HTTP origin can trigger the hang.
Recommendations Update hackney to version 4.0.1.

Exploit

Fix

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47066
GHSA-6CP8-V795-JR2J

Affected Products

Hackney