The mdex library's parse_document/2 function accepts a JSON source that is parsed by a private function json_to_node/1. This function converts a node_type value from the JSON into an atom using String.to_atom/1 via Module.concat/1. Because atoms in the BEAM VM are never garbage collected, an attacker can craft a deeply nested JSON document with unique node_type values at each node, causing the system to intern a new atom per node. This can exhaust the atom table limit (approximately 1,048,576 atoms), causing the Erlang VM to abort and crash all processes on the node. This vulnerability affects mdex versions from 0.4.3 up to but not including 0.13.2 and allows unauthenticated denial-of-service via resource exhaustion.

Successful exploitation results in denial-of-service by exhausting the Erlang VM's atom table, causing the entire VM to abort and all hosted processes to crash. This impacts availability of any application using vulnerable mdex versions that parse untrusted JSON input via the {:json, ...} source in parse_document/2. There is no indication of confidentiality or integrity impact. The vulnerability is unauthenticated and can be triggered remotely if untrusted JSON input is processed.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid passing untrusted JSON input to mdex.parse_document/2 with the {:json, ...} source. Consider implementing input validation or limiting JSON complexity to prevent excessive atom creation. Monitor vendor channels for updates and apply official patches once released.