Elixir Plug Cowboy Atom Table Exhaustion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Elixir Plug library, specifically in the plug_cowboy component, versions 2.0.0 prior to 2.8.1. This vulnerability allows unauthenticated remote attackers to exhaust the BEAM atom table, causing the Erlang VM to crash and take down the entire node. The issue arises in HTTP/2 connections, where the :scheme pseudo-header value is passed through without validation, allowing attackers to send unique values that permanently allocate new entries in the atom table. Since atoms are not garbage-collected and the table has a fixed limit, this exploitation can lead to a system_limit error and a VM crash.

Impact

Exploitation of this vulnerability causes the Erlang VM to crash, terminating all processes and disrupting any applications running on the node.

Remediation

Users are advised to update to plug_cowboy version 2.8.1. If using an earlier version, HTTP/2 can be disabled on the Plug.Cowboy.https/3 listener by passing protocol_options: %{protocols: [:http]} in the cowboy options, which restricts the listener to HTTP/1.1.