CVE-2025-3864 – hackney

Package

Manager: erlang
Name: hackney
Vulnerable Version: >=0 <1.24.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00221 pctl0.4468

Details

Hackney fails to properly release HTTP connections to the pool Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix for this issue has been included in 1.24.0 release.

Metadata

Created: 2025-05-28T12:30:34Z
Modified: 2025-05-28T16:08:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-9fm9-hp7p-53mf/GHSA-9fm9-hp7p-53mf.json
CWE IDs: ["CWE-772"]
Alternative ID: GHSA-9fm9-hp7p-53mf
Finding: F067
Auto approve: 1