CVE-2026-47067
HighSummary
A vulnerability in the hackney library allows for flooding the BEAM atom table through unbounded resource allocation. An attacker can supply malicious URLs, leading to a crash of the entire BEAM virtual machine.
Risk Assessment
The organization may experience significant disruptions in the operation of applications using hackney, potentially leading to downtime and loss of service availability.
Recommendation
It is recommended to update the hackney library to version 4.0.1 or later and to implement resource allocation limits for URLs.
Original NVD description (English source)
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1.

