CVE-2025-3864

HEX Hackney < 1.24.0 - Resource Leak

Title source: rule

Description

Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix for this issue has been included in 1.24.0 release.

References (3)

[Various Sources] https://cert.pl/en/posts/2025/05/CVE-2025-3864/

[Patch] https://github.com/benoitc/hackney/commit/8f13ddac50d1626f8b9a47a08bd599e4efe1773d

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/benoitc/hackney/issues/717

Scores

EPSS 0.0009

EPSS Percentile 24.8%

Classification

CWE

CWE-772

Status draft

Affected Products (1)

Hex/hackney < 1.24.0Hex

Timeline

Published May 28, 2025

Tracked Since Feb 18, 2026