DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48597: CVE-2026-48597: Denial of Service via Atom Table Exhaustion in Elixir Tesla Client (Mint Adapter)

CVE-2026-48597: Denial of Service via Atom Table Exhaustion in Elixir Tesla Client (Mint Adapter)

Vulnerability ID: CVE-2026-48597
CVSS Score: 8.2
Published: 2026-07-10

CVE-2026-48597 is a high-severity Denial of Service (DoS) vulnerability in the Elixir HTTP client library Tesla (specifically involving the Mint adapter) that allows an unauthenticated remote attacker to cause an unrecoverable crash of the Erlang Virtual Machine (BEAM). The flaw arises from the dynamic conversion of untrusted URL schemes into Erlang atoms without validation, leading to global atom table exhaustion.

TL;DR

A high-severity Denial of Service vulnerability in the Elixir Tesla HTTP client (using the Mint adapter) allows remote, unauthenticated attackers to crash the Erlang VM by submitting arbitrary URL schemes that exhaust the non-garbage-collected atom table.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS v4.0 Score: 8.2 (High)
  • EPSS Score: 0.00301 (0.30%)
  • Exploit Status: Proof of Concept (poc)
  • CISA KEV Status: Not Listed

Affected Systems

  • elixir-tesla (tesla Hex package)
  • tesla: >= 1.3.0, < 1.18.3 (Fixed in: 1.18.3)

Code Analysis

Commit: 4699c3c

Fix atom leak in Mint adapter by verifying scheme

Exploit Details

  • GitHub: Unit test suite demonstrating dynamic scheme validation bypass and subsequent atom creation prevention.

Mitigation Strategies

  • Upgrade the tesla library to version 1.18.3 or later to enforce scheme allow-listing.
  • Validate and sanitize user-supplied URLs before passing them to the Tesla client to ensure they only contain approved scheme strings like 'http' or 'https'.
  • Disable the automatic following of redirects when interacting with untrusted hosts, or intercept redirect URLs to filter out unexpected schemes.
  • Switch to an alternative HTTP adapter (such as Hackney or Finch) that does not convert dynamic request metadata into atoms.

Remediation Steps:

  1. Open your Elixir project's mix.exs file.
  2. Locate the {:tesla, ...} dependency definition.
  3. Update the version constraint to '~> 1.18.3' or higher.
  4. Run 'mix deps.update tesla' in your terminal to fetch and compile the patched version.
  5. Deploy the updated application to production and monitor the VM's atom table count to verify stability.

References


Read the full report for CVE-2026-48597 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)