Listen to this Post
Hackney, an HTTP client library for Erlang/Elixir, fails to properly release connections back to the pool after processing HTTP 307 Temporary Redirect responses. When a server responds with a 307 redirect, Hackney mishandles the connection lifecycle, leaving it unreleased. Attackers can repeatedly trigger 307 responses, gradually depleting available connections in the pool. This leads to denial of service (DoS) as new requests are unable to acquire connections. The issue stems from improper cleanup logic in the redirect handling flow, where the library fails to mark connections as reusable.
DailyCVE Form:
Platform: Hackney (Erlang/Elixir)
Version: < 1.24.0
Vulnerability: Connection Pool Exhaustion
Severity: Low
Date: May 28, 2025
Prediction: Patch already released (1.24.0)
What Undercode Say:
Exploitation:
Simulate 307 redirect loop
{:ok, resp} = :hackney.request(:get, "http://malicious.site/redirect", [], "", [follow_redirect: true])
Detection:
mix hex.outdated | grep hackney
Mitigation:
Update mix.exs
{:hackney, ">= 1.24.0"}
Analytics:
- Impact: Limited to apps using redirect-following
- Attack Complexity: Low (no auth required)
- Exploit Maturity: Unlikely (DoS only)
Debugging:
Check connection pool status :observer.start()
Workaround:
Disable redirects if unused :hackney.request(:get, url, [], "", [follow_redirect: false])
Monitoring:
Log pool exhaustion errors grep -r ":hackney_pool.full" /var/log
Patch Analysis:
- Fix modifies `hackney_redirect.erl`
– Adds proper `hackney_pool:checkin` call - Redirect flow now validates pool state
Testing:
Verify fix
Mix.install([{:hackney, "1.24.0"}])
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
