Home

Description

Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller. This issue affects hackney: from 0.10.0 before 4.0.1.

PUBLISHED Reserved 2026-05-18 | Published 2026-05-25 | Updated 2026-05-27 | Assigner EEF




HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-400 Uncontrolled Resource Consumption

Product status

Default status
unaffected

0.10.0 (semver) before 4.0.1
affected

Default status
unaffected

34cdbd1d20a282aacc286a89327465a3925b4c5d (git) before 5ccdab725c561a6f03d05a51f2d0664f98236dae
affected

Credits

Peter Ullrich finder

Benoit Chesneau remediation developer

Jonatan Männchen / EEF analyst

References

github.com/...ackney/security/advisories/GHSA-gp9c-pm5m-5cxr exploit

github.com/...ackney/security/advisories/GHSA-gp9c-pm5m-5cxr vendor-advisory related

cna.erlef.org/cves/CVE-2026-47071.html related

osv.dev/vulnerability/EEF-CVE-2026-47071 related

github.com/...ommit/5ccdab725c561a6f03d05a51f2d0664f98236dae patch

cve.org (CVE-2026-47071)

nvd.nist.gov (CVE-2026-47071)

Download JSON