CVE-2026-47071

UNKNOWN 0.0

SOCKS5 TLS upgrade ignores caller timeout in hackney

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller. This issue affects hackney: from 0.10.0 before 4.0.1.

CWE	CWE-400
Vendor	benoitc
Product	hackney
Published	May 25, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for benoitc hackney

Be the first to know when new unknown vulnerabilities affecting benoitc hackney are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

benoitc / hackney

0.10.0 < 4.0.1

benoitc / hackney

34cdbd1d20a282aacc286a89327465a3925b4c5d < 5ccdab725c561a6f03d05a51f2d0664f98236dae

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/benoitc/hackney/security/advisories/GHSA-gp9c-pm5m-5cxr cna.erlef.org: https://cna.erlef.org/cves/CVE-2026-47071.html osv.dev: https://osv.dev/vulnerability/EEF-CVE-2026-47071 github.com: https://github.com/benoitc/hackney/commit/5ccdab725c561a6f03d05a51f2d0664f98236dae

Credits

Peter Ullrich Benoit Chesneau Jonatan Männchen / EEF