Summary
hackney_h3:await_response_loop/6 in src/hackney_h3.erl accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer, not a wall-clock deadline: every received stream_data chunk, housekeeping select message, or settings frame resets it. A malicious HTTP/3 server that drips one small chunk every Timeout - 1 ms with Fin = false and never terminates the stream keeps the loop alive indefinitely while the accumulation buffer grows without bound, eventually exhausting the BEAM process heap.
Details
In src/hackney_h3.erl, await_response_loop/6 (line 430) builds the body with:
NewBody = <<AccBody/binary, Data/binary>>
There is no max_body check and no monotonic deadline. The after Timeout clause at line 463 is restarted on each loop iteration. A server that ensures at least one message arrives within Timeout ms indefinitely (one small chunk per interval is sufficient) prevents the timeout from firing while AccBody grows linearly. The same module's wait_connected/3 (lines 388-389) shows the correct pattern: track an absolute start time and pass a shrinking Remaining budget into each receive. This loop does not.
Configurations
Only the HTTP/3 transport is affected. Applications using the default TCP/TLS hackney transport are not vulnerable. The vulnerability requires using hackney_h3 directly or passing {transport, h3} to hackney:request/5.
PoC
- Stand up an HTTP/3 server that responds with
200 OK headers (Fin = false), then emits a small stream_data chunk every Timeout - margin ms with Fin = false indefinitely.
- Issue
hackney:request(get, Url, [], <<>>, [{transport, h3}]) against it.
- Watch the client process heap grow monotonically. The configured timeout never fires; the process is eventually killed by
max_heap_size or the OS OOM killer.
Impact
Remote denial of service via unbounded memory consumption. Affects hackney 2.0.0 through 4.0.0 when using the HTTP/3 transport against an attacker-controlled or attacker-influenced server. Each affected request consumes unbounded memory until the BEAM is killed. CVSS v4.0: 8.2 (HIGH).
Resources
References
Summary
hackney_h3:await_response_loop/6insrc/hackney_h3.erlaccumulates the HTTP/3 response body in memory without any size cap. Theafter Timeoutclause is a per-message inactivity timer, not a wall-clock deadline: every receivedstream_datachunk, housekeepingselectmessage, orsettingsframe resets it. A malicious HTTP/3 server that drips one small chunk everyTimeout - 1ms withFin = falseand never terminates the stream keeps the loop alive indefinitely while the accumulation buffer grows without bound, eventually exhausting the BEAM process heap.Details
In
src/hackney_h3.erl,await_response_loop/6(line 430) builds the body with:There is no
max_bodycheck and no monotonic deadline. Theafter Timeoutclause at line 463 is restarted on each loop iteration. A server that ensures at least one message arrives withinTimeoutms indefinitely (one small chunk per interval is sufficient) prevents the timeout from firing whileAccBodygrows linearly. The same module'swait_connected/3(lines 388-389) shows the correct pattern: track an absolute start time and pass a shrinkingRemainingbudget into eachreceive. This loop does not.Configurations
Only the HTTP/3 transport is affected. Applications using the default TCP/TLS hackney transport are not vulnerable. The vulnerability requires using
hackney_h3directly or passing{transport, h3}tohackney:request/5.PoC
200 OKheaders (Fin = false), then emits a smallstream_datachunk everyTimeout - marginms withFin = falseindefinitely.hackney:request(get, Url, [], <<>>, [{transport, h3}])against it.max_heap_sizeor the OS OOM killer.Impact
Remote denial of service via unbounded memory consumption. Affects hackney 2.0.0 through 4.0.0 when using the HTTP/3 transport against an attacker-controlled or attacker-influenced server. Each affected request consumes unbounded memory until the BEAM is killed. CVSS v4.0: 8.2 (HIGH).
Resources
References