CVE-2026-48597: Denial of Service via Atom Table Exhaustion in Elixir Tesla Client (Mint Adapter)
Vulnerability ID: CVE-2026-48597
CVSS Score: 8.2
Published: 2026-07-10
CVE-2026-48597 is a high-severity Denial of Service (DoS) vulnerability in the Elixir HTTP client library Tesla (specifically involving the Mint adapter) that allows an unauthenticated remote attacker to cause an unrecoverable crash of the Erlang Virtual Machine (BEAM). The flaw arises from the dynamic conversion of untrusted URL schemes into Erlang atoms without validation, leading to global atom table exhaustion.
TL;DR
A high-severity Denial of Service vulnerability in the Elixir Tesla HTTP client (using the Mint adapter) allows remote, unauthenticated attackers to crash the Erlang VM by submitting arbitrary URL schemes that exhaust the non-garbage-collected atom table.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network
- CVSS v4.0 Score: 8.2 (High)
- EPSS Score: 0.00301 (0.30%)
- Exploit Status: Proof of Concept (poc)
- CISA KEV Status: Not Listed
Affected Systems
- elixir-tesla (tesla Hex package)
-
tesla: >= 1.3.0, < 1.18.3 (Fixed in:
1.18.3)
Code Analysis
Commit: 4699c3c
Fix atom leak in Mint adapter by verifying scheme
Exploit Details
- GitHub: Unit test suite demonstrating dynamic scheme validation bypass and subsequent atom creation prevention.
Mitigation Strategies
- Upgrade the tesla library to version 1.18.3 or later to enforce scheme allow-listing.
- Validate and sanitize user-supplied URLs before passing them to the Tesla client to ensure they only contain approved scheme strings like 'http' or 'https'.
- Disable the automatic following of redirects when interacting with untrusted hosts, or intercept redirect URLs to filter out unexpected schemes.
- Switch to an alternative HTTP adapter (such as Hackney or Finch) that does not convert dynamic request metadata into atoms.
Remediation Steps:
- Open your Elixir project's mix.exs file.
- Locate the {:tesla, ...} dependency definition.
- Update the version constraint to '~> 1.18.3' or higher.
- Run 'mix deps.update tesla' in your terminal to fetch and compile the patched version.
- Deploy the updated application to production and monitor the VM's atom table count to verify stability.
References
- GitHub Security Advisory GHSA-h74c-q9j7-mpcm
- Fix Commit on GitHub
- Erlang Ecosystem Foundation Advisory
- OSV Ecosystem Advisory Record
- CVE.org Official Record
- NVD Vulnerability Details
Read the full report for CVE-2026-48597 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)