CVE-2026-47067

HIGH EPSS 48.6%
Published May 25, 20261mo ago · Modified Jun 17, 20262w ago
8.7 CVSS 4.0
High
Find Similar
Published May 25, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
48.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-770

Affected Products 1

VendorProductVersionRange
benoitchackney*≥2.0.0  –  <4.0.1

References 4

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-47067.html
    PatchThird Party Advisory
  • github.com https://github.com/benoitc/hackney/commit/31f6f0e27e096ad88743dfded4f030a3ee74972e
    Patch
  • github.com https://github.com/benoitc/hackney/security/advisories/GHSA-9653-rcfr-5c62
    ExploitPatchVendor Advisory
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-47067
    PatchThird Party Advisory

Remediation

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-47067.html
    PatchThird Party Advisory
  • github.com https://github.com/benoitc/hackney/commit/31f6f0e27e096ad88743dfded4f030a3ee74972e
    Patch
  • github.com https://github.com/benoitc/hackney/security/advisories/GHSA-9653-rcfr-5c62
    ExploitPatchVendor Advisory
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-47067
    PatchThird Party Advisory