EEF-CVE-2026-47077
- Source
- https://cna.erlef.org/osv/EEF-CVE-2026-47077.html
- Import Source
- https://cna.erlef.org/osv/EEF-CVE-2026-47077.json
- JSON Data
- https://api.osv.dev/v1/vulns/EEF-CVE-2026-47077
- Aliases
-
- CVE-2026-47077
- GHSA-jq4m-q6p2-8gwc
- Published
- 2026-05-25T14:00:42.217Z
- Modified
- 2026-05-26T19:46:43.179Z
- Severity
-
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Unbounded body accumulation in HTTP/3 response loop in hackney
- Details
-
Summary
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackneyh3:awaitresponse_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition.
This issue affects hackney: from 2.0.0 before 4.0.1.
Configuration
The application must use the HTTP/3 transport by calling hackney_h3 directly or by passing {transport, h3} to hackney:request/5. The default hackney transport (TCP/TLS) is not affected.
- Database specific
{ "cpe_ids": [ "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*" ], "cwe_ids": [ "CWE-400" ], "capec_ids": [ "CAPEC-125" ] }- References
- Credits
-
-
- Peter Ullrich - FINDER
-
- Benoit Chesneau - REMEDIATION_DEVELOPER
-
- Jonatan Männchen - ANALYST
-
Affected packages
Hex / hackney
Package
- Name
- hackney
- Purl
- pkg:hex/hackney