benoitc hackney Uncontrolled Resource Consumption Vulnerability in SOCKS5 TLS Upgrade

A denial-of-service vulnerability has been identified in the benoitc hackney library, specifically in versions 0.10.0 prior to 4.0.1. The issue arises in the SOCKS5 transport module, where the library correctly applies user-defined timeouts during the SOCKS5 negotiation phase. However, once the connection is upgraded to TLS using the two-argument form of ssl:connect/2, which defaults to an infinite timeout, the original timeout is not forwarded. This oversight allows a malicious SOCKS5 proxy to complete the handshake and then stall the TLS exchange, causing the connecting process to block indefinitely. This behavior ignores any connect_timeout or recv_timeout options specified by the user, leading to unbounded resource consumption.

Impact

Exploitation of this vulnerability causes indefinite blocking of the connecting process and socket, creating a denial-of-service condition that can only be resolved by externally terminating the process.

Reproduction

To reproduce this vulnerability, set up a SOCKS5 proxy that completes the initial handshake but then fails to send a TLS ServerHello, effectively stalling the connection. Then, use the hackney library to send an HTTPS request through this proxy, while setting the connect_timeout and recv_timeout options to a short duration, such as 2000 milliseconds. The process will remain blocked beyond the specified timeout, consuming resources until it is manually terminated.

Remediation

Users can upgrade to hackney version 4.0.1 or later, where this vulnerability has been patched.