CVE Catalog

CVE-2026-47067

High
Published: Translated: NVD NIST

Summary

A vulnerability in the hackney library allows for flooding the BEAM atom table through unbounded resource allocation. An attacker can supply malicious URLs, leading to a crash of the entire BEAM virtual machine.

Risk Assessment

The organization may experience significant disruptions in the operation of applications using hackney, potentially leading to downtime and loss of service availability.

Recommendation

It is recommended to update the hackney library to version 4.0.1 or later and to implement resource allocation limits for URLs.

Original NVD description (English source)

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS