CVE-2026-48597
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
02/06/2026
Last modified:
03/06/2026
Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint.<br />
<br />
Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application.<br />
<br />
This issue affects tesla: from 1.3.0 before 1.18.3.
Impact
Base Score 4.0
8.20
Severity 4.0
HIGH
References to Advisories, Solutions, and Tools
- https://cna.erlef.org/cves/CVE-2026-48597.html
- https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e
- https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm
- https://osv.dev/vulnerability/EEF-CVE-2026-48597
- https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm