CVE-2025-3864 — Hackney fails to properly release HTTP connections to the pool

Description

Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix for this issue has been included in 1.24.0 release.

How to fix CVE-2025-3864

To remediate CVE-2025-3864, upgrade the affected package to a fixed version below.

Hex/hackney—upgrade to 1.24.0 or later

Is CVE-2025-3864 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.24.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-3864
PATCHgithub.com/benoitc/hackney
WEBcert.pl/en/posts/2025/05/CVE-2025-3864
WEBgithub.com/benoitc/hackney/commit/8f13ddac50d1626f8b9a47a08bd599e4efe1773d
WEB