Ash Framework Module Type Atom Exhaustion Vulnerability Leading to BEAM VM Crash

A denial-of-service vulnerability has been identified in the Ash Framework for Elixir, prior to version 3.22.0. The issue arises in the 'Ash.Type.Module.cast_input/2' function, which creates a new Erlang atom from any user-supplied binary string that begins with 'Elixir.', without first checking if the referenced module exists. This unchecked operation can lead to exhaustion of the BEAM atom table, which has a hard limit of approximately 1,048,576 entries. An attacker able to submit values to resource attributes or arguments of type ':module' can exhaust the atom table, causing the BEAM VM to crash and take down the application.

Impact

Exhaustion of the BEAM atom table leads to a crash of the entire BEAM VM process, causing a complete denial-of-service. All resources served by that VM instance become unavailable, and recovery requires a full process restart.

Reproduction

The vulnerability can be reproduced by creating an Ash resource with a ':module'-typed attribute that is exposed to user input. Once this resource is set up, submit repeated 'Ash.create' requests with unique 'Elixir.*' strings. Each request will create a new atom that persists, while the 'cast_input' function returns an error. After approximately 1,048,576 unique strings are submitted, the BEAM VM will crash due to reaching the system limit.

Remediation

Users can upgrade to Ash Framework version 3.22.0 or later, where this vulnerability has been patched.