Elixir-Tesla Tesla Atom Table Exhaustion Vulnerability in Mint Adapter Allows Denial-of-Service

A denial-of-service vulnerability has been identified in the Elixir Tesla library, specifically in versions 1.3.0 prior to 1.18.3. The issue arises in the Tesla.Adapter.Mint module, where the URL scheme of outgoing requests is converted into a BEAM atom without proper validation. This unchecked conversion allows an attacker to create permanent atoms by manipulating the scheme, leading to exhaustion of the atom table. Since BEAM atoms are not garbage-collected and the atom table has a fixed limit of approximately 1,048,576 entries, this exploitation can cause the Elixir virtual machine to crash, disrupting the entire application.

Impact

Exploitation of this vulnerability fills the BEAM atom table, causing the Elixir virtual machine to crash and take down the application.

Reproduction

To reproduce this vulnerability, an application must be set up to use the Tesla HTTP client library with the Mint adapter. The application should expose a feature that forwards untrusted URLs to Tesla, or include the Tesla.Middleware.FollowRedirects in its middleware pipeline. Once the application is running, send requests with varying URL schemes that have not been seen before. Each unique scheme will create a new permanent atom. After enough requests, the atom table will become full, and the VM will crash.

Remediation

Users can upgrade to Tesla version 1.18.3 or later, where this vulnerability has been fixed.