Uncontrolled Resource Consumption in Benoitc Hackney's SOCKS5 Transport
CVE-2026-47071

8.2HIGH

Key Information:

Vendor: Benoitc
Status: Hackney
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-47071?

The Hackney library for Erlang allows an uncontrolled resource consumption attack due to a flaw in the SOCKS5 transport implementation. While the timeout set by the caller applies during the SOCKS5 negotiation, it fails to be propagated when the connection is upgraded to TLS, resulting in an infinite timeout by default. This vulnerability can be exploited by a malicious SOCKS5 proxy, which can complete the SOCKS5 handshake and then remain silent or provide an incomplete TLS ServerHello, thus causing the connecting process to hang indefinitely. Users of Hackney versions from 0.10.0 to 4.0.0 should take immediate measures to secure their applications against this vulnerability.

Affected Version(s)

hackney 0.10.0 < 4.0.1

hackney 34cdbd1d20a282aacc286a89327465a3925b4c5d < 5ccdab725c561a6f03d05a51f2d0664f98236dae

References

https://github.com/benoitc/hackney/security/advisories/GH...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-47071.html

https://osv.dev/vulnerability/EEF-CVE-2026-47071

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 18, 2026

Credit

Peter Ullrich

Benoit Chesneau

Jonatan Männchen

CVE-2026-47071 Data

JSON