PT-2026-43065 · Hackney · Hackney

Benoit Chesneau

+2

·

Published

2026-05-25

·

Updated

2026-06-26

·

CVE-2026-47067

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions hackney versions 2.0.0 through 4.0.0
Description An issue in the URL parser within src/hackney url.erl allows for resource exhaustion. The parser uses the binary to atom/2 function to convert unrecognized URL schemes into permanent BEAM atoms. Since BEAM atoms are not garbage-collected and the atom table has a hard limit of 1,048,576 entries, an attacker can exhaust this table by providing URLs with custom scheme prefixes. This can be achieved through request targets, configured webhook URLs, or Location headers during redirects, leading to a crash of the entire BEAM VM with a system limit error.
Recommendations Update to version 4.0.1.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47067
GHSA-9653-RCFR-5C62

Affected Products

Hackney