CVE-2026-47067: CWE-770 Allocation of Resources Without Limits or Throttling in benoitc hackney
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1.
AI Analysis
Technical Summary
The vulnerability in benoitc hackney involves the allocation of BEAM atoms without limits or throttling when parsing URLs. Specifically, the URL parser in src/hackney_url.erl uses binary_to_atom/2 to convert unrecognized URL schemes into permanent atoms. Because BEAM atoms are not garbage-collected and the atom table has a hard limit of 1,048,576 entries, an attacker can supply many distinct URL schemes to exhaust this table. This leads to a system_limit error and crashes the entire BEAM virtual machine. The affected versions are hackney from 2.0.0 up to but not including 4.0.1.
Potential Impact
Successful exploitation allows an attacker to cause a denial of service by crashing the BEAM VM hosting the hackney library. This is achieved by exhausting the atom table through uncontrolled creation of permanent atoms from attacker-supplied URL schemes. The impact is a high-severity denial of service affecting applications using vulnerable hackney versions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch link is provided, users should monitor the vendor's announcements for updates. Until a fix is available, avoid processing untrusted URLs with attacker-controlled schemes or implement application-level throttling or validation to limit the variety of URL schemes processed.
CVE-2026-47067: CWE-770 Allocation of Resources Without Limits or Throttling in benoitc hackney
Description
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in benoitc hackney involves the allocation of BEAM atoms without limits or throttling when parsing URLs. Specifically, the URL parser in src/hackney_url.erl uses binary_to_atom/2 to convert unrecognized URL schemes into permanent atoms. Because BEAM atoms are not garbage-collected and the atom table has a hard limit of 1,048,576 entries, an attacker can supply many distinct URL schemes to exhaust this table. This leads to a system_limit error and crashes the entire BEAM virtual machine. The affected versions are hackney from 2.0.0 up to but not including 4.0.1.
Potential Impact
Successful exploitation allows an attacker to cause a denial of service by crashing the BEAM VM hosting the hackney library. This is achieved by exhausting the atom table through uncontrolled creation of permanent atoms from attacker-supplied URL schemes. The impact is a high-severity denial of service affecting applications using vulnerable hackney versions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch link is provided, users should monitor the vendor's announcements for updates. Until a fix is available, avoid processing untrusted URLs with attacker-controlled schemes or implement application-level throttling or validation to limit the variety of URL schemes processed.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-18T17:28:08.321Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a149bd3a5ae1af1aad7730f
Added to database: 5/25/2026, 6:58:27 PM
Last enriched: 5/25/2026, 6:58:44 PM
Last updated: 5/26/2026, 7:54:29 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.