CVE-2025-3864 LOW

CVE-2025-3864: Connection pool exhaustion in hackney

Vendor Hackney
Product hackney
Weakness CWE-772
Published May 28, 2025
Last update January 26, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix for this issue has been included in 1.24.0 release.

Key dates

02Disclosure timeline

May 28, 2025 CVE published
January 26, 2026 Record updated