HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48597Published Modified CNA EEF

CVE-2026-48597: Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint

Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application. This issue affects tesla: from 1.3.0 before 1.18.3.

Metrics

CVSS v4.0
8.2
Severity
HIGH
Fixed in
1.18.3
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Atom table exhaustion is an unthrottled resource-allocation vulnerability in the elixir-tesla library, specifically in the Tesla.Adapter.Mint HTTP adapter. The flaw is reachable over the network with no authentication required: any attacker who can influence the URL scheme of an outgoing Tesla request (via a webhook, redirect chain, or URL-forwarding feature) can mint one new permanent BEAM atom per request, eventually filling the fixed atom table (~1,048,576 entries) and crashing the Erlang VM. Successful exploitation causes a full application denial of service. A patched-image rebuild at version 1.18.3 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-48597 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Elixir application images that bundle elixir-tesla at a vulnerable version (1.3.0 through less than 1.18.3). Both registry scans and CI pipeline scans are covered.

Available
Triage

Triage is available using the CVSS v4.0 score of 8.2 (HIGH), weighted against each customer environment's compliance policy to prioritize internet-facing or webhook-processing workloads. Findings are routed to the appropriate team inbox within each customer org based on image ownership and severity thresholds.

Available
Patch

A patched-image rebuild at elixir-tesla 1.18.3 (commit 4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e) is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard queues a rebuild, runs a regression test pass, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the application over the network to supply a crafted URL scheme, either by triggering a webhook or URL-forwarding feature or by controlling a redirect-chain endpoint.

  • AuthenticationNot required

    No credentials or account are needed; the attacker only needs the ability to submit URLs that the vulnerable application will fetch.

  • Victim interactionNot required

    No user action is required; the vulnerable code path executes automatically when the application processes an outgoing HTTP request.

  • Attack complexityDetail

    The exploit is straightforward in principle but requires an Attacker-side Prerequisite (AT:P): the attacker must identify and reach an application feature that allows influencing outgoing request URLs or redirect destinations.

Blast Radius

  • The Erlang VM process table fills with permanent atoms and the VM crashes, taking down the entire application and every service it hosts.
  • All in-flight requests and background jobs running inside the same VM instance are terminated without clean shutdown.
  • Any stateful processes (GenServers, ETS tables, in-memory caches) that have not been persisted externally are lost at crash time.
  • Repeated crashes can cause sustained downtime if no restart throttle is in place, because each restart resets the atom count but the attacker can refill the table again.

How HarborGuard Handles This

Available on HarborGuard: images containing elixir-tesla in the affected range (1.3.0 to less than 1.18.3) are flagged automatically as soon as the CVE is matched during ingest. For customers who opt into auto-remediation, HarborGuard rebuilds the image at version 1.18.3, runs a regression test pass, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual review, the finding is routed to the owning team inbox with the CVSS 8.2 score, affected layer details, and a direct reference to the fix commit. Until a rebuild is deployed, compensating controls worth considering include network-policy rules that restrict which external hosts the application can redirect to, an allow-list at the application layer for accepted URL schemes before Tesla processes them, and disabling Tesla.Middleware.FollowRedirects where redirect following is not a business requirement.

See how HarborGuard automates this

Fix available

1.18.34699c3cb3e2fd6078f99f45f11cf7466aeedbf0e
Patch commits
Affected packages
  • elixir-tesla / tesla
    < 1.18.3 (from 1.3.0)
  • elixir-tesla / tesla
    < 4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e (from ccd0823d4ba37581a37d8f6108f9a81b263237ef)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References