Description
Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.

MDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node.

A single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service.

This issue affects mdex from 0.4.3 before 0.13.2.
Published: 2026-06-29
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MDEx.parse_document/2 uses a JSON source that internally maps the 'node_type' value to an Erlang atom without limits. Each unique value creates a persistent atom, and a crafted JSON document can spur hundreds of thousands of atoms, overwhelming the default atom table (~1,048,576). When the table capacity is exceeded, the BEAM VM terminates, bringing all processes under the node to a halt. The flaw is unauthenticated and allows any untrusted JSON payload to trigger a denial‑of‑service.

Affected Systems

The vulnerability applies to the MDEx library owned by leandrocp, affecting any version from 0.4.3 up to but not including 0.13.2. All software that passes third‑party JSON to MDEx.parse_document via the :json source is vulnerable.

Risk and Exploitability

The CVSS score of 8.2 reflects a high severity impact, while EPSS data is unavailable, indicating no quantified likelihood analysis yet. The vulnerability is not listed in CISA KEV. An attacker can exploit the flaw simply by delivering a crafted JSON payload to the MDEx parser; no authentication or privileged access is required, so the attack vector is unauthenticated remote input. Because atoms are not garbage collected, the denial‑of‑service is permanent for the life of the VM until a restart.

Generated by OpenCVE AI on June 29, 2026 at 20:20 UTC.

Remediation

Vendor Workaround

Do not pass untrusted or attacker-controlled input to the {:json, ...} source of MDEx.parse_document/2. The {:markdown, ...} source is not affected.

OpenCVE Recommended Actions

  • Update MDEx to version 0.13.2 or later to eliminate the atom‑creation flaw.
  • Reconfigure or hard‑code the use of the :{:markdown, ...} source for MDEx.parse_document; avoid sending untrusted JSON to the :{:json, ...} source.
  • If upgrading is delayed, validate or reject incoming JSON before it reaches MDEx, and restart the application when the atom table limits approach exhaustion.

Generated by OpenCVE AI on June 29, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation. MDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node. A single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service. This issue affects mdex from 0.4.3 before 0.13.2.
Title Atom-table exhaustion denial-of-service via JSON parse_document in MDEx
First Time appeared Leandrocp
Leandrocp mdex
Weaknesses CWE-770
CPEs cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Vendors & Products Leandrocp
Leandrocp mdex
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Leandrocp Mdex
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-29T20:49:48.817Z

Reserved: 2026-06-09T11:01:47.529Z

Link: CVE-2026-53426

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:30:03Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling