GHSA-9653-RCFR-5C62

Vulnerability from github – Published: 2026-06-26 22:01 – Updated: 2026-06-26 22:01
VLAI
Summary
Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes
Details

Summary

CVE-2026-47067 is an atom table exhaustion vulnerability (CWE-770) in hackney's URL parser (src/hackney_url.erl). hackney_url:parse_url/1 converts every URL scheme it encounters into a BEAM atom via binary_to_atom/2. Because BEAM atoms are never garbage-collected and the atom table has a hard limit of 1,048,576 entries, an attacker who can feed URLs with attacker-chosen scheme prefixes — directly as request targets, as webhook/callback URLs, or via Location headers in redirect chains — can exhaust the atom table and crash the entire BEAM VM with system_limit.

Details

1. Scheme extraction and conversion

In src/hackney_url.erl, parse_url/1 extracts the scheme binary (the part before ://), validates it with is_valid_scheme/1 (RFC 3986 alphabet: alpha-led, <=19 bytes, alphanumeric/+/-/. body), lowercases it, then calls:

binary_to_atom(SchemeLower, utf8)

The resulting atom is stored on the #hackney_url{} record and returned to the caller.

2. Permanent atom accumulation

The validation constrains the alphabet but not uniqueness. The allowed scheme space is enormous (≈52·65¹⁸ values), far exceeding the default atom limit of 1,048,576. Each distinct scheme mints a new permanent atom. Even when hackney subsequently rejects an unsupported scheme with {error, {unsupported_scheme, _}}, the atom has already been interned and is never reclaimed.

3. Crash vector

The most dangerous path is redirect following: when hackney follows a Location header, the redirect target URL is re-parsed by the same function. An attacker-controlled server can serve a sequence of redirects — or a batch of URLs from an upstream feed — each with a fresh unique scheme, driving the atom count monotonically upward. At the limit the BEAM emits system_limit and the node terminates; recovery requires a full restart.

PoC

  1. Call hackney_url:parse_url/1 (or :hackney.request/5) repeatedly with URLs whose scheme prefixes are unique on each call: aaaa://x, aaab://x, aaac://x, …
  2. After enough iterations, observe erlang:system_info(:atom_count) climbing by one per unique scheme.
  3. At 1,048,576 atoms the VM crashes with system_limit.

Alternatively, point hackney at a server that replies with a feed of ~1M URLs with distinct schemes (or uses redirect chains with rotating schemes); the atom table is exhausted and the node crashes without the client being able to intervene.

Impact

Unauthenticated remote denial of service via permanent resource exhaustion leading to VM termination. Any application using hackney 2.0.0 through 4.0.0 that processes attacker-influenced URLs — direct request targets, webhook URLs, or Location headers in followed redirects — is affected. No authentication or special configuration is required. CVSS v4.0 score: 8.7 (HIGH).

References

  • Introduction commit: https://github.com/benoitc/hackney/commit/d9713695c0d99855d12c73fd8a0b4be0543950c4
  • Patch commit: https://github.com/benoitc/hackney/commit/31f6f0e27e096ad88743dfded4f030a3ee74972e
Severity
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "hackney"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T22:01:36Z",
    "nvd_published_at": "2026-05-25T15:16:21Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n[CVE-2026-47067](https://nvd.nist.gov/vuln/detail/CVE-2026-47067) is an atom table exhaustion vulnerability (CWE-770) in hackney\u0027s URL parser (`src/hackney_url.erl`). `hackney_url:parse_url/1` converts every URL scheme it encounters into a BEAM atom via `binary_to_atom/2`. Because BEAM atoms are never garbage-collected and the atom table has a hard limit of 1,048,576 entries, an attacker who can feed URLs with attacker-chosen scheme prefixes \u2014 directly as request targets, as webhook/callback URLs, or via `Location` headers in redirect chains \u2014 can exhaust the atom table and crash the entire BEAM VM with `system_limit`.\n\n### Details\n\n**1. Scheme extraction and conversion**\n\nIn `src/hackney_url.erl`, `parse_url/1` extracts the scheme binary (the part before `://`), validates it with `is_valid_scheme/1` (RFC 3986 alphabet: alpha-led, `\u003c=19` bytes, alphanumeric/`+`/`-`/`.` body), lowercases it, then calls:\n\n```erlang\nbinary_to_atom(SchemeLower, utf8)\n```\n\nThe resulting atom is stored on the `#hackney_url{}` record and returned to the caller.\n\n**2. Permanent atom accumulation**\n\nThe validation constrains the alphabet but not uniqueness. The allowed scheme space is enormous (\u224852\u00b765\u00b9\u2078 values), far exceeding the default atom limit of 1,048,576. Each distinct scheme mints a new permanent atom. Even when hackney subsequently rejects an unsupported scheme with `{error, {unsupported_scheme, _}}`, the atom has already been interned and is never reclaimed.\n\n**3. Crash vector**\n\nThe most dangerous path is redirect following: when hackney follows a `Location` header, the redirect target URL is re-parsed by the same function. An attacker-controlled server can serve a sequence of redirects \u2014 or a batch of URLs from an upstream feed \u2014 each with a fresh unique scheme, driving the atom count monotonically upward. At the limit the BEAM emits `system_limit` and the node terminates; recovery requires a full restart.\n\n### PoC\n\n1. Call `hackney_url:parse_url/1` (or `:hackney.request/5`) repeatedly with URLs whose scheme prefixes are unique on each call: `aaaa://x`, `aaab://x`, `aaac://x`, \u2026\n2. After enough iterations, observe `erlang:system_info(:atom_count)` climbing by one per unique scheme.\n3. At 1,048,576 atoms the VM crashes with `system_limit`.\n\nAlternatively, point hackney at a server that replies with a feed of ~1M URLs with distinct schemes (or uses redirect chains with rotating schemes); the atom table is exhausted and the node crashes without the client being able to intervene.\n\n### Impact\n\nUnauthenticated remote denial of service via permanent resource exhaustion leading to VM termination. Any application using hackney 2.0.0 through 4.0.0 that processes attacker-influenced URLs \u2014 direct request targets, webhook URLs, or `Location` headers in followed redirects \u2014 is affected. No authentication or special configuration is required. CVSS v4.0 score: **8.7 (HIGH)**.\n\n## References\n\n* Introduction commit: https://github.com/benoitc/hackney/commit/d9713695c0d99855d12c73fd8a0b4be0543950c4\n* Patch commit: https://github.com/benoitc/hackney/commit/31f6f0e27e096ad88743dfded4f030a3ee74972e",
  "id": "GHSA-9653-rcfr-5c62",
  "modified": "2026-06-26T22:01:36Z",
  "published": "2026-06-26T22:01:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/hackney/security/advisories/GHSA-9653-rcfr-5c62"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47067"
    },
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/hackney/commit/31f6f0e27e096ad88743dfded4f030a3ee74972e"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-47067.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/benoitc/hackney"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-47067"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.