GHSA-Q8JG-FGJ4-FPHF

Vulnerability from github – Published: 2026-06-26 22:00 – Updated: 2026-06-26 22:00
VLAI
Summary
Hackney has unbounded buffer accumulation in WebSocket
Details

Summary

The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption across three distinct code paths. In each case, an attacker-controlled WebSocket server can exhaust the connecting process's memory without any authentication or special client configuration.

Details

1. Handshake response buffer (read_handshake_response/3)

The function accumulates received bytes into a growing buffer waiting for \r\n\r\n. The per-receive timeout resets on every chunk, so a server that trickles bytes indefinitely without completing the HTTP upgrade response grows the buffer until OOM. No total-size cap exists.

2. Frame payload accumulation (parse_payload/9, parse_active_payload/8)

parse_payload/9 (lines 816–817 and 825–826) appends each received chunk into a Buffer binary via <<Buffer/binary, MoreData/binary>> whenever the frame parser returns {more, ...}. parse_active_payload/8 does the same in active mode by appending each incoming tcp/ssl message to #ws_data.buffer. RFC 6455 permits payload lengths up to 2⁶³-1 bytes, and neither path validates the declared Len against any limit. The recv_timeout applies per chunk, not to the whole frame, so a slow trickle never triggers it.

3. Fragmentation buffer (frag_buffer)

The frag_buffer field of #ws_data{} accumulates continuation frames. A server that sends an unbounded stream of non-final (nofin) fragments without ever sending a final (fin) frame grows frag_buffer without bound.

PoC

  1. Stand up a WebSocket server and connect to it with hackney's WebSocket client.
  2. Trigger any of the three paths: (a) never send \r\n\r\n during the handshake; (b) announce a very large frame payload and dribble bytes slowly; (c) send an endless stream of nofin continuation frames.
  3. Observe the hackney process's memory growing until the BEAM OOM-kills it or the node crashes.

Impact

Denial of service via unbounded memory consumption. Affects hackney 2.0.0 through 4.0.0 for any application using the WebSocket client against an attacker-controlled server. No authentication or special configuration is required on the client side. CVSS v4.0: 8.7 (HIGH).

Resources

  • Introduction commit: https://github.com/benoitc/hackney/commit/690cecaf236fba49526da404a5bc889a24367a3e
  • Patch commit: https://github.com/benoitc/hackney/commit/ce0109e2970ace6e20ff29bae9d05c3ac22ec6dc
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "hackney"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T22:00:16Z",
    "nvd_published_at": "2026-05-25T15:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe WebSocket client in `src/hackney_ws.erl` imposes no upper bound on memory consumption across three distinct code paths. In each case, an attacker-controlled WebSocket server can exhaust the connecting process\u0027s memory without any authentication or special client configuration.\n\n### Details\n\n**1. Handshake response buffer (`read_handshake_response/3`)**\n\nThe function accumulates received bytes into a growing buffer waiting for `\\r\\n\\r\\n`. The per-receive timeout resets on every chunk, so a server that trickles bytes indefinitely without completing the HTTP upgrade response grows the buffer until OOM. No total-size cap exists.\n\n**2. Frame payload accumulation (`parse_payload/9`, `parse_active_payload/8`)**\n\n`parse_payload/9` (lines 816\u2013817 and 825\u2013826) appends each received chunk into a `Buffer` binary via `\u003c\u003cBuffer/binary, MoreData/binary\u003e\u003e` whenever the frame parser returns `{more, ...}`. `parse_active_payload/8` does the same in active mode by appending each incoming `tcp`/`ssl` message to `#ws_data.buffer`. RFC 6455 permits payload lengths up to 2\u2076\u00b3-1 bytes, and neither path validates the declared `Len` against any limit. The `recv_timeout` applies per chunk, not to the whole frame, so a slow trickle never triggers it.\n\n**3. Fragmentation buffer (`frag_buffer`)**\n\nThe `frag_buffer` field of `#ws_data{}` accumulates continuation frames. A server that sends an unbounded stream of non-final (`nofin`) fragments without ever sending a final (`fin`) frame grows `frag_buffer` without bound.\n\n### PoC\n\n1. Stand up a WebSocket server and connect to it with hackney\u0027s WebSocket client.\n2. Trigger any of the three paths: (a) never send `\\r\\n\\r\\n` during the handshake; (b) announce a very large frame payload and dribble bytes slowly; (c) send an endless stream of `nofin` continuation frames.\n3. Observe the hackney process\u0027s memory growing until the BEAM OOM-kills it or the node crashes.\n\n### Impact\n\nDenial of service via unbounded memory consumption. Affects hackney 2.0.0 through 4.0.0 for any application using the WebSocket client against an attacker-controlled server. No authentication or special configuration is required on the client side. CVSS v4.0: **8.7 (HIGH)**.\n\n## Resources\n\n* Introduction commit: https://github.com/benoitc/hackney/commit/690cecaf236fba49526da404a5bc889a24367a3e\n* Patch commit: https://github.com/benoitc/hackney/commit/ce0109e2970ace6e20ff29bae9d05c3ac22ec6dc",
  "id": "GHSA-q8jg-fgj4-fphf",
  "modified": "2026-06-26T22:00:16Z",
  "published": "2026-06-26T22:00:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/hackney/security/advisories/GHSA-q8jg-fgj4-fphf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47073"
    },
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/hackney/commit/ce0109e2970ace6e20ff29bae9d05c3ac22ec6dc"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-47073.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/benoitc/hackney"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-47073"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Hackney has unbounded buffer accumulation in WebSocket"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…