CVE-2026-47066: hackney Alt-Svc Parser Infinite Loop (DoS)
A single-byte malformed Alt-Svc response header causes hackney's parser to spin in an infinite loop, pinning an Erlang scheduler at 100% CPU and permanently hanging the connection process.
The problem
hackney's Alt-Svc header parser in `src/hackney_altsvc.erl` is called synchronously for every HTTP response. When the header value begins with a non-token byte (such as `!`, `@`, `=`, or `;`), the parser cannot consume any input and recurses forever.
The result is unbounded CPU exhaustion on one Erlang scheduler. Because the loop never yields, the connection process hangs permanently. Any application connecting to an attacker-controlled HTTP server is affected, and no authentication is required.
Proof of concept
%% Trigger directly (process hangs immediately):
hackney_altsvc:parse(<<"!">>).
%% Remote trigger: serve any HTTP response with this header:
%% Alt-Svc: !
%% Then issue a normal request:
hackney:request(get, "http://attacker.example/", [], <<>>, []).
%% The call never returns; the Erlang scheduler spikes to 100% CPU.The root cause (CWE-835) is in `parse_token/2`. When the leading byte is not alphanumeric, `-`, `_`, whitespace, or `,`, the catch-all clause returns `{undefined, Rest}` with the input buffer completely unchanged. `parse_entries/2` passes this unchanged buffer to `skip_comma/1`, which also makes no progress because the byte is not a comma, then recurses with the identical data.
Erlang tail recursion does not preempt on a pure CPU loop, so the scheduler is pinned indefinitely. The patch (commit `e548aba`) adds a zero-progress guard to `parse_entries/2` that detects this condition and rejects the malformed entry instead of looping.
The fix
Upgrade hackney to 4.0.1 or later. If an immediate upgrade is not possible, place a proxy or gateway in front of the service to strip any `Alt-Svc` header values that do not begin with a valid token character (ASCII alphanumeric, `-`, or `_`).