CVE-2025-3864
LOWHackney < 1.24.0 - Denial of Service via HTTP Connection Pool Exhaustion
Title source: llmDescription
Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix for this issue has been included in 1.24.0 release.
References (3)
Core 3
Core References
Issue Tracking issue-tracking
https://github.com/benoitc/hackney/issues/717
Various Sources third-party-advisory
https://cert.pl/en/posts/2025/05/CVE-2025-3864/
Scores
CVSS v4
2.3
EPSS
0.0073
EPSS Percentile
49.4%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-772
Status
published
Products (2)
hackney/hackney
< 1.24.0
Hex/hackney
0 - 1.24.0Hex
Published
May 28, 2025
Tracked Since
Feb 18, 2026