Phenixdigital Phoenix Storybook Unauthenticated Denial-of-Service Vulnerability via BEAM Atom Table Exhaustion

A denial-of-service vulnerability has been identified in Phenixdigital Phoenix Storybook versions 0.2.0 prior to 1.1.0. This vulnerability allows unauthenticated attackers to exhaust the BEAM atom table, leading to a crash of the entire BEAM node. The issue arises because multiple LiveView event handlers convert user-supplied event parameter strings into atoms using String.to_atom/1, without proper validation. As a result, each unique attacker-controlled string creates a permanent atom allocation. Once the atom table reaches its limit of approximately 1,048,576 atoms, the BEAM node aborts, causing all applications running on it to terminate.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by exhausting the BEAM atom table with permanent allocations from attacker-controlled strings. Once the atom limit is reached, the BEAM node crashes, taking down all applications on the node, not just the one affected by the vulnerability.

Reproduction

To reproduce this vulnerability, send LiveView events such as 'psb-assign' or 'psb-toggle' to a mounted Phoenix Storybook playground. These events can be crafted to include a high number of unique keys that will be converted to atoms, effectively flooding the atom table. This can be done using a script that automates the process of sending these events with attacker-controlled data.

Remediation

Users can upgrade to Phoenix Storybook version 1.1.0 or later, where this vulnerability has been fixed.