CVE-2025-3864 is a vulnerability identified in the hackney HTTP client library, specifically related to improper resource management when handling HTTP 307 Temporary Redirect responses. Hackney fails to correctly release HTTP connections back to the connection pool after processing such redirects. This flaw is categorized under CWE-772, which pertains to missing release of resources after their effective lifetime. The consequence of this issue is that an attacker can remotely exploit the vulnerability by repeatedly triggering 307 redirects, causing the connection pool to become exhausted. When the pool is depleted, legitimate application requests cannot obtain connections, resulting in a denial of service (DoS) condition. The vulnerability affects all versions prior to the 1.24.0 release, where the fix has been implemented. The CVSS 4.0 base score is 2.3, indicating a low severity primarily due to the lack of confidentiality, integrity, or availability impact beyond resource exhaustion, the requirement for user interaction, and the absence of authentication requirements. The attack vector is network-based, and the attack complexity is low, but the impact is limited to availability degradation through resource exhaustion rather than direct data compromise or system takeover. No known exploits are currently reported in the wild. This vulnerability is significant for applications relying on hackney for HTTP client functionality, especially those that handle redirects frequently or operate under high load conditions where connection pool exhaustion can severely degrade service availability.

For European organizations, the primary impact of CVE-2025-3864 is the potential for denial of service in applications that utilize the hackney HTTP client library. This can disrupt business operations, particularly for services that depend on stable and reliable HTTP communications, such as web services, APIs, and microservices architectures. Organizations in sectors like finance, healthcare, telecommunications, and government, which often rely on robust backend communication libraries, may experience service outages or degraded performance if the vulnerability is exploited. Although the severity is rated low, the operational impact can be significant in environments with high traffic or where service availability is critical. Additionally, the exploitation does not require authentication, increasing the risk from external attackers. The vulnerability could be leveraged as part of a broader attack chain to cause service disruption or to distract from other malicious activities. European organizations with compliance obligations around service availability and incident response should prioritize patching to maintain operational resilience.

To mitigate CVE-2025-3864, European organizations should take the following specific actions: 1) Upgrade hackney to version 1.24.0 or later, where the resource release issue has been fixed. 2) Review and audit application dependencies to identify usage of hackney and ensure all instances are updated. 3) Implement connection pool monitoring and alerting to detect abnormal exhaustion patterns that could indicate exploitation attempts. 4) Employ rate limiting or filtering on incoming requests that could trigger excessive redirects to reduce the risk of resource exhaustion. 5) Conduct thorough testing of applications handling HTTP redirects to ensure proper resource management and graceful degradation under load. 6) Incorporate this vulnerability into incident response playbooks to quickly identify and respond to potential DoS conditions related to connection pool depletion. 7) Consider architectural adjustments such as increasing connection pool sizes or using alternative HTTP client libraries if immediate patching is not feasible, while planning for timely remediation.