Summary
The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the tunnel to TLS using ssl:connect/2 (the two-argument form), which defaults to infinity. The Timeout value is in scope at that call site but is never forwarded. A hostile or man-in-the-middled SOCKS5 proxy that completes the SOCKS5 handshake normally and then stalls the TLS exchange will pin the connecting Erlang process and socket indefinitely, regardless of any connect_timeout or recv_timeout options the caller set.
Details
In src/hackney_socks5.erl, line 65, after the SOCKS5 negotiation succeeds, the code calls:
ssl:connect(Socket, SSLOpts)
The three-argument form ssl:connect/3 takes a timeout; the two-argument form used here defaults to infinity. The variable Timeout (already used for SOCKS5 recv calls earlier in the same function) is simply not passed. The bytes that drive the TLS handshake on the upstream side of the tunnel come from whatever endpoint the proxy connects to. A hostile proxy can complete SOCKS5 normally, then either stay silent or send a partial ServerHello and stop, keeping ssl:connect/2 blocked forever. No certificate forgery is needed.
PoC
- Stand up a SOCKS5 proxy that completes the SOCKS5 greeting and CONNECT reply normally, then goes silent (never sends a TLS ServerHello).
- Issue an HTTPS request through it via hackney with
connect_timeout and recv_timeout set to a short value (e.g. 2000 ms).
- Observe the calling process remains blocked well past the configured timeout, consuming a process and socket until killed externally.
Impact
Denial of service via unbounded process and socket consumption. Affects hackney 0.10.0 through 4.0.0 for any HTTPS request routed through a SOCKS5 proxy. The connect_timeout and recv_timeout options give a false sense of safety since they are not honored during the TLS upgrade. CVSS v4.0: 8.2 (HIGH).
Resources
References
Summary
The SOCKS5 transport in
src/hackney_socks5.erlcorrectly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the tunnel to TLS usingssl:connect/2(the two-argument form), which defaults toinfinity. TheTimeoutvalue is in scope at that call site but is never forwarded. A hostile or man-in-the-middled SOCKS5 proxy that completes the SOCKS5 handshake normally and then stalls the TLS exchange will pin the connecting Erlang process and socket indefinitely, regardless of anyconnect_timeoutorrecv_timeoutoptions the caller set.Details
In
src/hackney_socks5.erl, line 65, after the SOCKS5 negotiation succeeds, the code calls:The three-argument form
ssl:connect/3takes a timeout; the two-argument form used here defaults toinfinity. The variableTimeout(already used for SOCKS5 recv calls earlier in the same function) is simply not passed. The bytes that drive the TLS handshake on the upstream side of the tunnel come from whatever endpoint the proxy connects to. A hostile proxy can complete SOCKS5 normally, then either stay silent or send a partialServerHelloand stop, keepingssl:connect/2blocked forever. No certificate forgery is needed.PoC
connect_timeoutandrecv_timeoutset to a short value (e.g. 2000 ms).Impact
Denial of service via unbounded process and socket consumption. Affects hackney 0.10.0 through 4.0.0 for any HTTPS request routed through a SOCKS5 proxy. The
connect_timeoutandrecv_timeoutoptions give a false sense of safety since they are not honored during the TLS upgrade. CVSS v4.0: 8.2 (HIGH).Resources
References