Benoitc Hackney Alt-Svc Header Parser Infinite Loop Vulnerability

A denial-of-service vulnerability has been identified in the Benoitc Hackney HTTP client library, specifically in versions 2.0.0-beta.1 prior to 4.0.1. The issue arises in the Alt-Svc response header parser, where the handling of non-token bytes creates an infinite loop. When the parser encounters a non-token byte (such as '!', '@', '=', ';', or '.'), it fails to consume the byte and instead returns it unchanged. This behavior, combined with the parser's lack of progress control, leads to a tail-recursive loop that consumes CPU resources, effectively hanging the connection process. The vulnerability can be triggered by a single-byte Alt-Svc header from an attacker-controlled HTTP origin, causing the affected process to remain unresponsive and pinned at 100% CPU usage.

Impact

Exploitation of this vulnerability causes an infinite loop that consumes CPU resources, pinning an Erlang scheduler at 100% usage. This leads to a denial-of-service condition, where the calling process becomes unresponsive and never returns.

Reproduction

To reproduce this vulnerability, send an HTTP response that includes an Alt-Svc header with a single non-token byte, such as '!', '@', '=', ';', or '.'. When the response is processed by the Hackney HTTP client, the parser will enter an infinite loop, causing the connection process to hang indefinitely. This can also be tested by directly calling the Alt-Svc parser with a leading non-token byte, which will immediately result in the same unresponsive behavior.

Remediation

Users can upgrade to Hackney version 4.0.1, where this vulnerability has been fixed.