CVE-2026-47067

216.73.216.6

· Published 25/05/2026 15:16 · Modified 26/05/2026 19:58

Labels: CVE-2026-47067 2026-05-25 6b3ad84c-e1a6-4bf7-a703-f496b71e49db CVE-2026-47067 CWE-770

Essential information

Published: 25/05/2026 15:16
Modified: 26/05/2026 19:58
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1.

NVD status

Status: Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
NVD: View on NVD

Affected products (CPE)

Product	CPE
benoitc / hackney	`cpe:2.3:a:benoitc:hackney:[2.0.0-4.0.1]:::::::*`