SOCKS5 TLS upgrade ignores caller timeout in hackney

Summary

CVE	CVE-2026-47071
State	PUBLISHED
Assigner	EEF
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-25 15:16:22 UTC
Updated	2026-05-27 13:56:30 UTC
Description	Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller. This issue affects hackney: from 0.10.0 before 4.0.1.

Risk And Classification

Primary CVSS: v4.0 8.2 HIGH from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.000420000 probability, percentile 0.131290000 (date 2026-05-27)

Problem Types: CWE-400 | CWE-400 CWE-400 Uncontrolled Resource Consumption

Version	Source	Type	Score	Severity	Vector
4.0	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	Secondary	8.2	HIGH	`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C...`
4.0	CNA	CVSS	8.2	HIGH	`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
3.1	[email protected]	Primary	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

CVSS v4.0 Breakdown

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

None

User Interaction

None

Confidentiality

None

Integrity

None

Availability

High

Sub Conf.

None

Sub Integrity

None

Sub Availability

None

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Benoitc	Hackney	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Benoitc	Hackney	affected 0.10.0 4.0.1 semver	Not specified
CNA	Benoitc	Hackney	affected 34cdbd1d20a282aacc286a89327465a3925b4c5d 5ccdab725c561a6f03d05a51f2d0664f98236dae git	Not specified

References

Reference	Source	Link	Tags
osv.dev/vulnerability/EEF-CVE-2026-47071	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	osv.dev	Third Party Advisory, Patch
github.com/benoitc/hackney/security/advisories/GHSA-gp9c-pm5m-5cxr	134c704f-9b21-4f2e-91b3-4a467353bcc0	github.com	Exploit, Patch, Vendor Advisory
cna.erlef.org/cves/CVE-2026-47071.html	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	cna.erlef.org	Third Party Advisory, Patch
github.com/benoitc/hackney/commit/5ccdab725c561a6f03d05a51f2d0664f98236dae	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	github.com	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Peter Ullrich (en)

CNA: Benoit Chesneau (en)

CNA: Jonatan Männchen (en)

There are currently no legacy QID mappings associated with this CVE.