hackney
Hex12 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting hackneypage 1 of 1
- CVE-2025-1211MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.21.02025-02-11
vulnerable: 0.13.1 ... 1.9.0 (75 versions)
Versions of the package hackney before 1.21.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://[email protected]/, the URI function will parse a…
- CVE-2025-3864LOWCVSS 2.3EG 2.3✓ Fixed in 1.24.02025-05-28
vulnerable: 0.13.1 ... 1.9.0 (78 versions)
Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix…
- CVE-2026-47066HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.12026-05-25
vulnerable: 2.0.0 ... 4.0.0 (13 versions)
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 recei…
- CVE-2026-47067HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.12026-05-25
vulnerable: 2.0.0 ... 4.0.0 (12 versions)
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms a…
- CVE-2026-47069MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.0.12026-05-25
vulnerable: 0.13.1 ... 4.0.0 (94 versions)
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against …
- CVE-2026-47070MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.0.12026-05-25
vulnerable: 3.1.1, 3.1.2, 3.2.0, 3.2.1, 4.0.0
Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any…
- CVE-2026-47071HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.12026-05-25
vulnerable: 0.13.1 ... 4.0.0 (94 versions)
Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connect…
- CVE-2026-47072HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.12026-05-25
vulnerable: 2.0.0 ... 4.0.0 (12 versions)
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and proto…
- CVE-2026-47073HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.12026-05-25
vulnerable: 2.0.0 ... 4.0.0 (12 versions)
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_respo…
- CVE-2026-47075HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.12026-05-25
vulnerable: 0.13.1 ... 4.0.0 (94 versions)
Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the …
- CVE-2026-47076MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.0.12026-05-25
vulnerable: 0.13.1 ... 4.0.0 (94 versions)
Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and in…
- CVE-2026-47077HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.12026-05-25
vulnerable: 2.0.0 ... 4.0.0 (12 versions)
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-…
Check whether hackney is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for hackney CVEs against the assets you own.
Start Free Scan →