CVE-2025-3864

LOW

HEX Hackney < 1.24.0 - Resource Leak

Title source: rule

Description

Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix for this issue has been included in 1.24.0 release.

References (3)

[Issue Tracking] https://github.com/benoitc/hackney/issues/717

[Various Sources] https://cert.pl/en/posts/2025/05/CVE-2025-3864/

[Patch] https://github.com/benoitc/hackney/commit/8f13ddac50d1626f8b9a47a08bd599e4efe1773d

View Patch ZIP pw:eip

Scores

CVSS v4 2.3

EPSS 0.0030

EPSS Percentile 53.3%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-772

Status published

Products (2)

hackney/hackney < 1.24.0

Hex/hackney 0 - 1.24.0Hex

Published May 28, 2025

Tracked Since Feb 18, 2026