CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-3864: Connection pool exhaustion in hackney

2.3 CVSS

Description

Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library.
Fix for this issue has been included in 1.24.0 release.

Classification

CVE ID: CVE-2025-3864

CVSS Base Severity: LOW

CVSS Base Score: 2.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem Types

CWE-772 Missing Release of Resource after Effective Lifetime

Affected Products

Vendor: hackney

Product: hackney

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.19% (probability of being exploited)

EPSS Percentile: 41.77% (scored less or equal to compared to others)

EPSS Date: 2025-06-26 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3864
https://github.com/benoitc/hackney/issues/717
https://cert.pl/en/posts/2025/05/CVE-2025-3864/

Timeline

2025-05-28 12:40:16 UTC
CVE

Connection pool exhaustion in hackney
2025-05-28 17:15:34 UTC
Github Advisory Database (Erlang)

[hackney] Hackney fails to properly release HTTP connections to the pool