Full Report
Incorrect connection releasing causing pool exhaustion (CVE-2025-3864) has been found in hackney software.
Analysis Summary
# Vulnerability: Hackney Connection Pool Exhaustion via Improper Redirect Handling
## CVE Details
- CVE ID: CVE-2025-3864
- CVSS Score: Information not explicitly provided, assumed **Medium/High** based on DoS impact.
- CWE: CWE-772 (Missing Release of Resource after Effective Lifetime)
## Affected Systems
- Products: hackney (open-source library)
- Versions: All versions prior to 1.24.0
- Configurations: Applications using hackney for HTTP requests that encounter 307 Temporary Redirect responses.
## Vulnerability Description
The `hackney` software fails to properly release HTTP connections back to the connection pool after successfully handling specific responses, namely **307 Temporary Redirects**. This failure results in connections being held open indefinitely within the pool, leading to resource exhaustion.
## Exploitation
- Status: Not explicitly stated, assumed **Not exploited in the wild** based on responsible disclosure context. No PoC availability is mentioned.
- Complexity: Likely **Low** to **Medium**, as successful exploitation requires triggering repeated 307 redirects in the application's request flow to consume the finite pool resources.
- Attack Vector: **Network** (Remote attacker indirectly causes resource exhaustion).
## Impact
- Confidentiality: **No direct impact**
- Integrity: **No direct impact**
- Availability: **High** (Denial of Service due to connection pool exhaustion)
## Remediation
### Patches
- Upgrade to **hackney version 1.24.0 or later**.
### Workarounds
- No specific workarounds are detailed in the summary; however, temporarily limiting concurrent connections or carefully reviewing interaction logic that triggers 307 redirects might serve as temporary measures until patching.
## Detection
- **Indicators of Compromise (IoCs):** Gradual or sustained increase in active, unused connections held by the application in the `hackney` connection pool, especially if throughput decreases or new requests start failing due to connection unavailability.
- **Detection methods and tools:** Monitoring connection pool statistics and error logs for connection timeout or exhaustion errors within the affected application.
## References
- Vendor advisories: CERT Polska Disclosure coordinated via the CVD process.
- Relevant links - defanged:
- hxxps://cert.pl/en/publications/
- hxxps://www.cve.org/CVERecord?id=CVE-2025-3864