← back
CVE-2025-3864

Connection pool exhaustion in hackney

CVSS 2.3 LOWEPSS 0.7%CWE-772
Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix for this issue has been included in 1.24.0 release.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected products
hackney · hackney

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://cert.pl/en/posts/2025/05/CVE-2025-3864/https://github.com/benoitc/hackney/commit/8f13ddac50d1626f8b9a47a08bd599e4efe1773dhttps://github.com/benoitc/hackney/issues/717