CVE-2026-47073: CWE-400 Uncontrolled Resource Consumption in benoitc hackney
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_response/3 accumulates received bytes into a growing buffer with no size cap; the per-receive timeout resets on every chunk, so a server that streams bytes without ever sending \r\n\r\n causes the buffer to grow until memory is exhausted. Second, parse_payload/9 and parse_active_payload/8 do not validate the declared frame payload length against any limit; because RFC 6455 allows payload lengths up to 2^63-1 bytes, a server that announces a very large frame and dribbles bytes causes the accumulation buffer to grow until OOM. Third, the frag_buffer field in #ws_data{} accumulates continuation frames indefinitely; a server that sends an endless stream of non-final (nofin) fragmented frames without ever sending a final (fin) frame grows frag_buffer without bound. In all three cases the attacker only needs to control the WebSocket server the hackney client connects to, with no authentication or special client configuration required. This issue affects hackney: from 2.0.0 before 4.0.1.
AI Analysis
Technical Summary
The vulnerability in benoitc hackney's WebSocket client arises from lack of limits on memory usage in three areas: (1) read_handshake_response/3 accumulates bytes indefinitely if the server never sends the expected \r\n\r\n sequence, (2) parse_payload/9 and parse_active_payload/8 do not enforce limits on declared frame payload lengths, allowing extremely large frames to cause memory exhaustion, and (3) the frag_buffer field accumulates fragmented frames indefinitely if the server sends continuous non-final fragments without a final frame. Exploitation requires control of the WebSocket server the client connects to and affects hackney versions from 2.0.0 up to but not including 4.0.1.
Potential Impact
Successful exploitation can cause the hackney WebSocket client to consume excessive memory, potentially leading to denial of service through out-of-memory conditions. This impacts any application using affected hackney versions when connecting to a malicious or compromised WebSocket server. There is no need for authentication or special client configuration to trigger the issue.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently provided. Users should monitor the vendor's announcements for updates. Until a fix is available, avoid connecting hackney WebSocket clients to untrusted or potentially malicious WebSocket servers to reduce risk.
CVE-2026-47073: CWE-400 Uncontrolled Resource Consumption in benoitc hackney
Description
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_response/3 accumulates received bytes into a growing buffer with no size cap; the per-receive timeout resets on every chunk, so a server that streams bytes without ever sending \r\n\r\n causes the buffer to grow until memory is exhausted. Second, parse_payload/9 and parse_active_payload/8 do not validate the declared frame payload length against any limit; because RFC 6455 allows payload lengths up to 2^63-1 bytes, a server that announces a very large frame and dribbles bytes causes the accumulation buffer to grow until OOM. Third, the frag_buffer field in #ws_data{} accumulates continuation frames indefinitely; a server that sends an endless stream of non-final (nofin) fragmented frames without ever sending a final (fin) frame grows frag_buffer without bound. In all three cases the attacker only needs to control the WebSocket server the hackney client connects to, with no authentication or special client configuration required. This issue affects hackney: from 2.0.0 before 4.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in benoitc hackney's WebSocket client arises from lack of limits on memory usage in three areas: (1) read_handshake_response/3 accumulates bytes indefinitely if the server never sends the expected \r\n\r\n sequence, (2) parse_payload/9 and parse_active_payload/8 do not enforce limits on declared frame payload lengths, allowing extremely large frames to cause memory exhaustion, and (3) the frag_buffer field accumulates fragmented frames indefinitely if the server sends continuous non-final fragments without a final frame. Exploitation requires control of the WebSocket server the client connects to and affects hackney versions from 2.0.0 up to but not including 4.0.1.
Potential Impact
Successful exploitation can cause the hackney WebSocket client to consume excessive memory, potentially leading to denial of service through out-of-memory conditions. This impacts any application using affected hackney versions when connecting to a malicious or compromised WebSocket server. There is no need for authentication or special client configuration to trigger the issue.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently provided. Users should monitor the vendor's announcements for updates. Until a fix is available, avoid connecting hackney WebSocket clients to untrusted or potentially malicious WebSocket servers to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-18T17:28:08.322Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a149bd3a5ae1af1aad7732d
Added to database: 5/25/2026, 6:58:27 PM
Last enriched: 5/25/2026, 6:59:18 PM
Last updated: 5/26/2026, 7:54:34 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.