Listen to this Post
The vulnerability resides in the Alt-Svc header parser within src/hackney_altsvc.erl. When the HTTP client receives a response, it calls `parse_and_cache/3` to process the header. The parsing logic uses a recursive function parse_entries/2. For an unexpected character, the code fails to consume any input, leading to an infinite loop. Here is the technical breakdown of the flaw:
1. The `parse_and_cache/3` function is invoked for every HTTP response, feeding the raw Alt-Svc header value into the parser.
2. The parser recursively iterates through the header bytes via parse_entries/2, which calls `parse_entry/1` and then parse_protocol/1.
3. The core issue lies in parse_token/2. This function pattern matches on expected bytes like alphanumerics, hyphens, whitespace, and commas. Any other byte, such as !, @, =, or ;, triggers a catch-all clause.
4. This catch-all clause returns the input buffer completely unchanged ({undefined, Rest}). It does not advance a single character.
5. The returned unchanged buffer is passed to skip_comma/1. Since the offending byte is not a comma, this function also returns the buffer without any progress.
6. The `parse_entries/2` function then recursively calls itself with the exact same buffer, creating a tight tail-recursive loop with zero forward progress.
7. The Erlang VM’s scheduler is locked at 100% CPU usage as the infinite recursion never yields control, causing a complete denial of service for that connection process.
Platform: …… Erlang/OTP
Version: …….. 2.0.0-beta.1 to 4.0.0
Vulnerability :.. Infinite Loop (CWE-835)
Severity: ……. High (CVSS 8.7)
date: ……….. 2026-05-25
Prediction: ….. Patch expected 2026-05-26
What Undercode Say:
Analytics
Check hackney version in a mix project
grep -E '{:hackney,."~> [0-9.]+"' mix.exs
Or using rebar3
rebar3 tree | grep hackney
Monitor CPU for potential DoS
top -p $(pgrep -f beam.smp)
How Exploit:
%% Proof of Concept - Direct parser call
%% This will immediately hang the Erlang process.
hackney_altsvc:parse(<<"!">>).
%% Remote exploitation
%% 1. Start an HTTP server that responds with header 'Alt-Svc: !'
%% 2. Connect using hackney:
{ok, Status, Headers, ClientRef} = hackney:get("http://evil.com/").
%% 3. The calling process will never return
%% Erlang scheduler attached to the process will spike to 100% CPU.
Protection from this CVE
Immediate: Upgrade to hackney version `4.0.1` or later.
Patch Reference: The fix is implemented in commit e548aba1f97ffa3f4750da7b772998fb78c01894.
Workaround: If immediate upgrade is impossible, implement a gateway or proxy to sanitize incoming Alt-Svc headers, stripping any values that do not start with a valid token character.
Detection: Monitor system logs and CPU metrics for unexplained 100% scheduler utilization on Erlang VMs.
Impact
Denial of Service: A single malformed HTTP response from any server the client connects to can permanently hang the connection process.
CPU Exhaustion: The infinite loop pins an entire Erlang scheduler at 100% CPU, degrading performance for all processes on that scheduler.
Scope: Any Erlang/OTP application using hackney versions `2.0.0-beta.1` through `4.0.0` is vulnerable.
Ease of Exploitation: The attack vector is extremely simple, requiring only a single-byte header value (Alt-Svc: !). No authentication or complex payload is needed.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

