PT-2026-43070 · Hexpm · Hackney

Benoit Chesneau

+2

·

Published

2026-05-25

·

Updated

2026-06-26

·

CVE-2026-47073

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions hackney versions 2.0.0 through 4.0.0
Description The WebSocket client in src/hackney ws.erl lacks upper bounds on memory consumption across three code paths, allowing for flooding. First, the read handshake response/3 function accumulates received bytes into a buffer without a size cap; a server streaming bytes without the required termination sequence causes the buffer to grow until memory is exhausted. Second, the parse payload/9 and parse active payload/8 functions do not validate declared frame payload lengths, which can be up to 2^63-1 bytes per RFC 6455, leading to Out-of-Memory (OOM) conditions when a server announces a very large frame. Third, the frag buffer field in #ws data{} accumulates continuation frames indefinitely if a server sends a stream of non-final fragmented frames without a final frame. An attacker only needs to control the WebSocket server the client connects to, requiring no authentication or special configuration.
Recommendations Update to version 4.0.1.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47073
GHSA-Q8JG-FGJ4-FPHF

Affected Products

Hackney