Vulnerability Description
Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix for this issue has been included in 1.24.0 release.
Related Weaknesses (CWE)
References
- https://cert.pl/en/posts/2025/05/CVE-2025-3864/
- https://github.com/benoitc/hackney/commit/8f13ddac50d1626f8b9a47a08bd599e4efe177
- https://github.com/benoitc/hackney/issues/717
FAQ
What is CVE-2025-3864?
CVE-2025-3864 is a documented vulnerability. Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service...
How severe is CVE-2025-3864?
CVSS scoring is not yet available for CVE-2025-3864. Check NVD for updates.
Is there a patch for CVE-2025-3864?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.