CVE-2026-47067

Atom table exhaustion via unrecognized URL schemes in hackney

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-770 — CWE-770 Allocation of Resources Without Limits or Throttling

CAPEC

• CAPEC-125 — CAPEC-125 Flooding

CVSS 4.0 Score

8.7

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability description

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding.

The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit.

This issue affects hackney: from 2.0.0 before 4.0.1.

Affected

pkg:hex/hackney

Module	Source File	Routine
hackney_url	src/hackney_url.erl	hackney_url:parse_url/1

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	2.0.0	< 4.0.1

pkg:github/benoitc/hackney

Module	Source File	Routine
hackney_url	src/hackney_url.erl	hackney_url:parse_url/1

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	d9713695c0	< 31f6f0e27e

References

• https://github.com/benoitc/hackney/security/advisories/GHSA-9653-rcfr-5c62 vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-47067 related
• https://github.com/benoitc/hackney/commit/31f6f0e27e096ad88743dfded4f030a3ee74972e patch

Credits

• Finder: Peter Ullrich
• Remediation developer: Benoit Chesneau
• Analyst: Jonatan Männchen

CVE record as JSON:  GET /cves/CVE-2026-47067.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-47067.json