PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47067 benoitc CVE debrief

A resource exhaustion vulnerability in the Hackney HTTP client library for Erlang/Elixir allows remote attackers to crash the BEAM virtual machine by flooding it with unique URL scheme prefixes. The vulnerability stems from the use of `binary_to_atom/2` in the URL parser, which converts unrecognized schemes to permanent atoms that are never garbage-collected. With a default atom table limit of 1,048,576 entries, an attacker can exhaust this finite resource through crafted URLs supplied as request targets, webhook configurations, or redirect Location headers. This affects Hackney versions 2.0.0 through 4.0.0, with version 4.0.1 containing the remediation. The CVSS 4.0 vector indicates network attack vector with low complexity, no privileges required, and high availability impact. The vulnerability was published to CVE on 2026-05-25 and last modified on 2026-05-26.

Vendor
benoitc
Product
hackney
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-27
Advisory published
2026-05-25
Advisory updated
2026-05-27

Who should care

Organizations running Erlang or Elixir applications using the hackney HTTP client library, particularly those exposing HTTP client functionality to untrusted input or following redirects from external sources. This includes web applications, webhook receivers, API gateways, and microservices that process URLs from user input or third-party callbacks.

Technical summary

The vulnerability exists in `src/hackney_url.erl` where the URL parser converts unrecognized URL scheme prefixes to BEAM atoms using `binary_to_atom/2`. BEAM atoms are permanent, global, and never garbage-collected, with a default system limit of 1,048,576 entries. An attacker supplying URLs with unique scheme prefixes (e.g., `attacker1://`, `attacker2://`, etc.) can exhaust this finite atom table, triggering a `system_limit` error that crashes the entire BEAM VM. Attack vectors include direct request targets, configured webhook URLs, and Location headers in HTTP redirects. The fix in version 4.0.1 likely replaces `binary_to_atom/2` with `binary_to_existing_atom/2` or implements scheme whitelist validation to prevent unbounded atom creation.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade hackney to version 4.0.1 or later which contains the remediation
  • If immediate patching is not feasible, implement input validation to reject or sanitize URLs with non-standard scheme prefixes before passing to hackney
  • Consider implementing rate limiting on URL processing paths that accept external input
  • Monitor BEAM VM atom table usage via `:erlang.system_info(:atom_count)` and `:erlang.system_info(:atom_limit)` for anomalous growth
  • Review webhook configurations and redirect-following logic to ensure untrusted URLs cannot reach the vulnerable parser
  • For Elixir applications, consider using the `:hackney` application environment to disable automatic redirect following if not required
  • resourceLinkAnnotations: [ref-6, ref-5, ref-4, nvd, cve-org]

Evidence notes

CVE description confirms the vulnerability mechanism: `binary_to_atom/2` conversion of URL schemes to permanent BEAM atoms with no garbage collection. Affected versions explicitly stated as 2.0.0 before 4.0.1. CVSS 4.0 vector from NVD source data shows AV:N/AC:L/AT:N/PR:N/UI:N/VA:H. GitHub advisory GHSA-9653-rcfr-5c62 and commit 31f6f0e27e096ad88743dfded4f030a3ee74972e provide vendor acknowledgment and fix verification. CWE-770 (Allocation of Resources Without Limits or Throttling) classified as secondary weakness source.

Official resources

2026-05-25T15:16:21.740Z