Benoitc Hackney Atom Table Exhaustion Vulnerability Allowing Denial-of-Service

A resource exhaustion vulnerability has been identified in Benoitc Hackney, specifically in the URL parser component. This vulnerability allows for denial-of-service by exhausting the BEAM atom table, which has a hard limit of 1,048,576 entries. The issue arises because the URL parser converts unrecognized URL scheme prefixes into permanent BEAM atoms. Once an atom is created, it cannot be garbage-collected, leading to potential crashes of the BEAM virtual machine. The vulnerability affects Hackney versions 2.0.0 prior to 4.0.1.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the BEAM virtual machine crashes due to atom table exhaustion. This requires a full restart of the VM to recover.

Reproduction

The vulnerability can be reproduced by calling the 'hackney_url:parse_url/1' function with URLs that have unique scheme prefixes. After enough iterations, the atom count can be observed to increase by one for each unique scheme. Once the atom limit is reached, the BEAM VM crashes with a 'system_limit' error. Alternatively, this can be demonstrated by using a server that provides a feed of URLs with distinct schemes, which will also exhaust the atom table and cause the VM to crash.

Remediation

Users can upgrade to Hackney version 4.0.1 or later, where this vulnerability has been fixed.