Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-48597
PUBLISHED
More InfoOfficial Page
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
View Known Exploited Vulnerability (KEV) details
Published At-02 Jun, 2026 | 19:08
Updated At-04 Jun, 2026 | 04:45
Rejected At-
▼CVE Numbering Authority (CNA)
Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint

Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application. This issue affects tesla: from 1.3.0 before 1.18.3.

Affected Products
Vendor
elixir-tesla
Product
tesla
Collection URL
https://repo.hex.pm
Package Name
tesla
Repo
https://github.com/elixir-tesla/tesla
CPEs
  • cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Tesla.Adapter.Mint'
Program Files
  • lib/tesla/adapter/mint.ex
Program Routines
  • 'Elixir.Tesla.Adapter.Mint':open_conn/2
Default Status
unaffected
Versions
Affected
  • From 1.3.0 before 1.18.3 (semver)
Vendor
elixir-tesla
Product
tesla
Collection URL
https://github.com
Package Name
elixir-tesla/tesla
Repo
https://github.com/elixir-tesla/tesla.git
CPEs
  • cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Tesla.Adapter.Mint'
Program Files
  • lib/tesla/adapter/mint.ex
Program Routines
  • 'Elixir.Tesla.Adapter.Mint':open_conn/2
Default Status
unaffected
Versions
Affected
  • From ccd0823d4ba37581a37d8f6108f9a81b263237ef before 4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e (git)
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770 Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-770
Description: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
4.08.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions

Configurations

The application must use Tesla.Adapter.Mint and either expose a feature that forwards attacker-controlled URLs to Tesla, or include Tesla.Middleware.FollowRedirects in the middleware pipeline.

Workarounds

Exploits

Credits

finder
Peter Ullrich
remediation developer
Yordis Prieto
analyst
Jonatan Männchen
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-48597.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-48597
related
https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e
patch
Hyperlink: https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-48597.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-48597
Resource:
related
Hyperlink: https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm
exploit
Hyperlink: https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm
Resource:
exploit
Details not found