CVE-2026-48597: CWE-770 Allocation of Resources Without Limits or Throttling in elixir-tesla tesla
Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application. This issue affects tesla: from 1.3.0 before 1.18.3.
AI Analysis
Technical Summary
The vulnerability in elixir-tesla's Tesla.Adapter.Mint.open_conn/2 function involves converting the URL scheme of outgoing requests into BEAM atoms using String.to_atom(uri.scheme) without any allow-list validation. Because BEAM atoms are not garbage-collected and the atom table has a fixed size limit (~1,048,576 entries), an attacker able to influence the URL scheme—via application-level URL forwarding features or redirect headers—can cause the creation of many unique atoms. This leads to atom table exhaustion and a crash of the Erlang VM, resulting in a denial of service. The issue affects tesla versions starting at 1.3.0 up to but not including 1.18.3. The CVSS 4.0 score is 8.2, indicating high severity. No vendor advisory or patch links are currently available, and the remediation level is not specified.
Potential Impact
Successful exploitation results in denial of service by crashing the Erlang VM hosting the application due to atom table exhaustion. This can cause application downtime and service disruption. There is no indication of privilege escalation, data disclosure, or other impacts beyond denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid processing untrusted or attacker-controlled URLs that influence the URL scheme in Tesla requests. Consider disabling or restricting features that allow URL forwarding or automatic redirect following if they can be influenced by untrusted input.
CVE-2026-48597: CWE-770 Allocation of Resources Without Limits or Throttling in elixir-tesla tesla
Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application. This issue affects tesla: from 1.3.0 before 1.18.3.
CVSS v4.0
Score 8.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in elixir-tesla's Tesla.Adapter.Mint.open_conn/2 function involves converting the URL scheme of outgoing requests into BEAM atoms using String.to_atom(uri.scheme) without any allow-list validation. Because BEAM atoms are not garbage-collected and the atom table has a fixed size limit (~1,048,576 entries), an attacker able to influence the URL scheme—via application-level URL forwarding features or redirect headers—can cause the creation of many unique atoms. This leads to atom table exhaustion and a crash of the Erlang VM, resulting in a denial of service. The issue affects tesla versions starting at 1.3.0 up to but not including 1.18.3. The CVSS 4.0 score is 8.2, indicating high severity. No vendor advisory or patch links are currently available, and the remediation level is not specified.
Potential Impact
Successful exploitation results in denial of service by crashing the Erlang VM hosting the application due to atom table exhaustion. This can cause application downtime and service disruption. There is no indication of privilege escalation, data disclosure, or other impacts beyond denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid processing untrusted or attacker-controlled URLs that influence the URL scheme in Tesla requests. Consider disabling or restricting features that allow URL forwarding or automatic redirect following if they can be influenced by untrusted input.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-22T09:36:56.834Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1f3494e29bf47b50fa253d
Added to database: 6/2/2026, 7:52:52 PM
Last enriched: 6/2/2026, 8:03:33 PM
Last updated: 6/3/2026, 4:14:16 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.