Elixir Uncontrolled Resource Consumption Vulnerability in Version Module Allows Denial-of-Service

A denial-of-service vulnerability has been identified in the Elixir standard library's Version module. This issue arises from unbounded integer parsing of version components, which allows an attacker to control a version string and cause CPU and memory exhaustion. The vulnerability affects Elixir versions 1.5.0 prior to 1.20.1.

Impact

Exploitation of this vulnerability leads to CPU and memory exhaustion, causing a denial-of-service condition where the application becomes unresponsive.

Reproduction

The vulnerability can be reproduced by calling the public entry points of the Version module, such as Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, with an untrusted version string that contains a large all-digit component. This will trigger a super-linear conversion of the string to an arbitrary-precision integer, which can pin a BEAM scheduler and cause the calling process to crash if the component is large enough to raise a SystemLimitError.

Remediation

Users can upgrade to Elixir version 1.20.1 or later, which limits version components to 14 digits. Applications should also validate version strings according to their own constraints before parsing.