Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint.

Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application.

This issue affects tesla: from 1.3.0 before 1.18.3.
Published: 2026-06-02
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tesla.Adapter.Mint converts any requested URL scheme into a BEAM atom without validation. BEAM atoms are permanent and the atom table has a fixed capacity of about 1,048,576 entries. An attacker who can supply or influence a URL scheme can trigger a new atom per request; after enough unique schemes the atom table overflows, forcing the Erlang VM to crash and causing the entire application to stop. This is a classic resource exhaustion issue (CWE‑770) that leads to denial of service.

Affected Systems

Elixir‑Tesla’s Tesla library, specifically the Tesla.Adapter.Mint component, is vulnerable. Users who depend on tesla v1.3.0 up to and including v1.18.2 are affected, as the bug was fixed in release v1.18.3. The vulnerability applies to any application that imports tesla and uses the adapter, especially those that process untrusted URLs or enable redirect following.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is considered high severity. The EPSS score is currently unavailable, and the issue is not listed in CISA’s KEV catalog, but the exploitation path is straightforward: an attacker who can inject arbitrary URLs—via webhook forwards, proxy inputs, or HTTP redirects—can send many requests with unique scheme strings, exhausting the atom table and shutting down the VM. The failure mode is a complete denial of service with no recovery except a restart, making the risk significant for production systems.

Generated by OpenCVE AI on June 3, 2026 at 04:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the patched tesla release 1.18.3 or later.
  • If you cannot upgrade immediately, modify your code to validate the URL scheme before converting to an atom, or replace String.to_atom/1 with String.to_existing_atom/1 and maintain an allowlist of supported schemes.
  • Disable or restrict any middleware that follows redirects or forwards URLs if the target URL is untrusted.
  • Deploy monitoring to observe the atom table size and set thresholds to trigger alerts before exhaustion occurs.

Generated by OpenCVE AI on June 3, 2026 at 04:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application. This issue affects tesla: from 1.3.0 before 1.18.3.
Title Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint
First Time appeared Elixir-tesla
Elixir-tesla tesla
Weaknesses CWE-770
CPEs cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*
Vendors & Products Elixir-tesla
Elixir-tesla tesla
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Elixir-tesla Tesla
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-02T19:12:23.287Z

Reserved: 2026-05-22T09:36:56.834Z

Link: CVE-2026-48597

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:38.710

Modified: 2026-06-02T20:16:38.710

Link: CVE-2026-48597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:30:05Z

Weaknesses