CVE-2025-3864 in hackney
Summary
by MITRE • 05/28/2025
Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix for this issue has been included in 1.24.0 release.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability identified as CVE-2025-3864 affects the Hackney HTTP client library, which is widely used in erlang-based applications for making HTTP requests. This issue stems from improper connection management within the library's handling of HTTP 307 Temporary Redirect responses. When Hackney encounters a 307 redirect, it should properly release the underlying HTTP connection back to the connection pool for reuse by subsequent requests. However, the flaw causes the library to maintain references to these connections, preventing them from being properly recycled.
The technical root cause of this vulnerability aligns with CWE-400, which addresses improper resource management in software systems. The flaw specifically manifests when Hackney processes HTTP 307 responses because these redirects indicate that the client should repeat the original request to the new location specified in the Location header. During this process, the library fails to correctly release the connection resources that were used to establish the initial request, leading to a gradual depletion of available connections in the pool.
From an operational perspective, this vulnerability creates a significant denial of service risk for applications that rely on Hackney for HTTP communications. Attackers can exploit this weakness by crafting HTTP requests that trigger 307 redirects in a manner that exhausts the connection pool. As connections are not properly released back to the pool, applications will eventually face connection exhaustion, resulting in failed HTTP requests and service unavailability. The impact is particularly severe in high-traffic applications where connection pooling is heavily utilized, as the effect compounds over time until the service becomes completely unresponsive.
The mitigation for this vulnerability involves upgrading to Hackney version 1.24.0 or later, which includes the necessary fixes to properly handle connection release for 307 redirect responses. Organizations should prioritize this update as a critical security measure, especially for applications that handle significant HTTP traffic or are exposed to untrusted network inputs. Additionally, system administrators should monitor application performance for signs of connection pool exhaustion before the upgrade is implemented, as the vulnerability can be exploited remotely without authentication. The fix demonstrates proper adherence to connection management best practices and aligns with ATT&CK technique T1499.004, which covers network denial of service attacks through resource exhaustion. This vulnerability highlights the importance of proper resource lifecycle management in network libraries and underscores the need for thorough testing of redirect handling scenarios in HTTP client implementations.