GHSA-jjf9-w5vj-r6vp

Source

https://github.com/advisories/GHSA-jjf9-w5vj-r6vp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jjf9-w5vj-r6vp/GHSA-jjf9-w5vj-r6vp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jjf9-w5vj-r6vp

Aliases

CVE-2026-34593

Published

2026-04-01T00:14:40Z

Modified

2026-04-15T21:03:43.273924Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash

Details

Summary

Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application.

Details

Setup: A resource with a :module-typed attribute exposed to user input, which is a supported and documented usage of the Ash.Type.Module built-in type:

defmodule MyApp.Widget do
  use Ash.Resource, domain: MyApp, data_layer: AshPostgres.DataLayer

  attributes do
    uuid_primary_key :id
    attribute :handler_module, :module, public?: true
  end

  actions do
    defaults [:read, :destroy]
    create :create do
      accept [:handler_module]
    end
  end
end

Vulnerable code in lib/ash/type/module.ex, lines 105-113:

def cast_input("Elixir." <> _ = value, _) do
  module = Module.concat([value])   # <-- Creates new atom unconditionally
  if Code.ensure_loaded?(module) do
    {:ok, module}
  else
    :error                          # <-- Returns error but atom is already created
  end
end

Exploit: Submit repeated Ash.create requests (e.g., via a JSON API endpoint) with unique "Elixir.*" strings:

# Attacker-controlled loop (or HTTP requests to an API endpoint)
for i <- 1..1_100_000 do
  Ash.Changeset.for_create(MyApp.Widget, :create, %{handler_module: "Elixir.Attack#{i}"})
  |> Ash.create()
  # Each iteration: Module.concat(["Elixir.Attack#{i}"]) creates a new atom
  # cast_input returns :error but the atom :"Elixir.Attack#{i}" persists
end
# After ~1,048,576 unique strings: BEAM crashes with system_limit

Contrast: The non-"Elixir." path in the same function correctly uses String.to_existing_atom/1, which is safe because it only looks up atoms that already exist:

def cast_input(value, _) when is_binary(value) do
  atom = String.to_existing_atom(value)   # safe - raises if atom doesn't exist
  ...
end

Additional occurrence: cast_stored/2 at line 141 contains the identical pattern, which is reachable when reading :module-typed values from the database if an attacker can write arbitrary "Elixir.*" strings to the relevant database column.

Impact

An attacker who can submit requests to any API endpoint backed by an Ash resource with a :module-typed attribute or argument can crash the entire BEAM VM process. This is a complete denial of service: all resources served by that VM instance (not just the targeted resource) become unavailable. The crash cannot be prevented once the atom table is full, and recovery requires a full process restart.

Fix direction: Replace Module.concat([value]) with String.to_existing_atom(value) wrapped in a rescue ArgumentError block (as already done in the non-"Elixir." branch), or validate that the atom already exists before calling Module.concat by first attempting String.to_existing_atom and only falling back to Module.concat on success.

Database specific

{
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "nvd_published_at": "2026-04-02T18:16:31Z",
    "github_reviewed_at": "2026-04-01T00:14:40Z"
}

References

Affected packages

Hex / ash

Package

Name: ash
Purl: pkg:hex/ash

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.22.0

Affected versions

0.*

0.1.0

0.1.1

0.1.3

0.1.8

0.1.9

0.2.0

0.3.0

0.4.0

0.5.0

0.5.1

0.5.2

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.7.0

0.8.0

0.9.0

0.9.1

0.10.0

0.12.0

0.13.0

0.13.1

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.2

1.1.3

1.2.0

1.2.1

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.7.0

1.8.0

1.9.0

1.10.0

1.11.0

1.11.1

1.12.0

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.14.0

1.15.0

1.15.1

1.16.2

1.17.0

1.17.1

1.18.0

1.18.1

1.19.0

1.19.1

1.20.0

1.20.1

1.22.0

1.22.1

1.23.0

1.23.1

1.23.2

1.23.3

1.24.0

1.24.1

1.24.2

1.25.0

1.25.1

1.25.2

1.25.3

1.25.4

1.25.5

1.25.6

1.25.7

1.25.8

1.26.0

1.26.1

1.26.2

1.26.4

1.26.5

1.26.6

1.26.7

1.26.8

1.26.9

1.26.10

1.26.11

1.26.12

1.26.13

1.27.0

1.27.1

1.28.0

1.28.1

1.29.0-rc0

1.29.0-rc1

1.30.1

1.30.2

1.31.0

1.31.1

1.32.0

1.32.1

1.32.2

1.33.0

1.34.0

1.34.1

1.34.2

1.34.3

1.34.4

1.34.5

1.34.6

1.34.7

1.34.8

1.34.9

1.35.0

1.35.1

1.36.0

1.36.2

1.36.3

1.36.4

1.36.5

1.36.6

1.36.7

1.36.8

1.36.9

1.36.10

1.36.11

1.36.12

1.36.13

1.36.14

1.36.15

1.36.16

1.36.17

1.36.18

1.36.19

1.36.21

1.36.22

1.37.0

1.37.1

1.37.2

1.38.0

1.39.0

1.39.1

1.39.2

1.39.3

1.39.4

1.39.5

1.39.6

1.39.7

1.40.0

1.41.0

1.41.1

1.41.2

1.41.3

1.41.4

1.41.5

1.41.6

1.41.7

1.41.8

1.41.9

1.41.10

1.41.11

1.41.12

1.42.0

1.43.0

1.43.1

1.43.2

1.43.3

1.43.4

1.43.5

1.43.6

1.43.7

1.43.8

1.43.9

1.43.10

1.43.11

1.43.12

1.44.0

1.44.1

1.44.2

1.44.3

1.44.4

1.44.5

1.44.6

1.44.7

1.44.8

1.44.9

1.44.10

1.44.11

1.44.12

1.44.13

1.45.0-rc0

1.45.0-rc1

1.45.0-rc10

1.45.0-rc11

1.45.0-rc12

1.45.0-rc13

1.45.0-rc14

1.45.0-rc15

1.45.0-rc16

1.45.0-rc17

1.45.0-rc18

1.45.0-rc19

1.45.0-rc2

1.45.0-rc20

1.45.0-rc3

1.45.0-rc4

1.45.0-rc5

1.45.0-rc6

1.45.0-rc7

1.45.0-rc8

1.45.0-rc9

1.46.0

1.46.1

1.46.2

1.46.3

1.46.4

1.46.5

1.46.6

1.46.7

1.46.8

1.46.9

1.46.10

1.46.11

1.46.12

1.46.13

1.47.0

1.47.1

1.47.2

1.47.3

1.47.4

1.47.5

1.47.6

1.47.7

1.47.8

1.47.9

1.47.10

1.47.11

1.47.12

1.48.0-rc.0

1.48.0-rc.1

1.48.0-rc.2

1.48.0-rc.3

1.48.0-rc.4

1.48.0-rc.5

1.48.0-rc.6

1.48.0-rc.7

1.48.0-rc.8

1.48.0-rc.9

1.48.0-rc.10

1.48.0-rc.11

1.48.0-rc.12

1.48.0-rc.13

1.48.0-rc.14

1.48.0-rc.15

1.48.0-rc.16

1.48.0-rc.17

1.48.0-rc.18

1.48.0-rc.19

1.48.0-rc.20

1.48.0-rc.21

1.48.0-rc.22

1.48.0-rc.23

1.48.0-rc.24

1.48.0-rc.25

1.48.0-rc.26

1.48.0-rc.27

1.48.0-rc.28

1.48.0-rc.29

1.48.0-rc.30

1.49.0

1.50.0

1.50.1

1.50.2

1.50.3

1.50.4

1.50.5

1.50.6

1.50.7

1.50.8

1.50.9

1.50.10

1.50.11

1.50.12

1.50.13

1.50.14

1.50.15

1.50.16

1.50.17

1.50.18

1.50.19

1.50.20

1.50.21

1.51.0

1.51.1

1.51.2

1.52.0-rc.0

1.52.0-rc.1

1.52.0-rc.2

1.52.0-rc.3

1.52.0-rc.4

1.52.0-rc.5

1.52.0-rc.6

1.52.0-rc.7

1.52.0-rc.8

1.52.0-rc.9

1.52.0-rc.10

1.52.0-rc.11

1.52.0-rc.12

1.52.0-rc.13

1.52.0-rc.14

1.52.0-rc.15

1.52.0-rc.16

1.52.0-rc.17

1.52.0-rc.18

1.52.0-rc.19

1.52.0-rc.20

1.52.0-rc.21

1.52.0-rc.22

1.53.0

1.53.2

1.53.3

2.*

2.0.0-pre.0

2.0.0-pre.1

2.0.0-pre.2

2.0.0-pre.3

2.0.0-pre.4

2.0.0-pre.5

2.0.0-pre.6

2.0.0-pre.7

2.0.0-pre.8

2.0.0-rc.0

2.0.0-rc.1

2.0.0-rc.2

2.0.0-rc.3

2.0.0-rc.4

2.0.0-rc.5

2.0.0-rc.6

2.0.0-rc.7

2.0.0-rc.8

2.0.0-rc.9

2.0.0-rc.10

2.0.0-rc.11

2.0.0-rc.12

2.0.0-rc.13

2.0.0-rc.14

2.0.0-rc.15

2.0.0

2.1.0

2.2.0

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.4.11

2.4.12

2.4.13

2.4.14

2.4.15

2.4.16

2.4.17

2.4.18

2.4.19

2.4.20

2.4.21

2.4.22

2.4.23

2.4.24

2.4.25

2.4.26

2.4.27

2.4.28

2.4.29

2.4.30

2.5.0-rc.0

2.5.0-rc.1

2.5.0-rc.2

2.5.0-rc.3

2.5.0-rc.4

2.5.0-rc.5

2.5.0-rc.6

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

2.5.10

2.5.11

2.5.12

2.5.13

2.5.14

2.5.15

2.5.16

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.13

2.6.14

2.6.15

2.6.16

2.6.17

2.6.18

2.6.19

2.6.20

2.6.21

2.6.22

2.6.23

2.6.24

2.6.25

2.6.26

2.6.27

2.6.28

2.6.29

2.6.30

2.6.31

2.7.0

2.7.1

2.8.0

2.8.1

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.9.10

2.9.11

2.9.12

2.9.13

2.9.14

2.9.15

2.9.16

2.9.17

2.9.18

2.9.19

2.9.20

2.9.21

2.9.22

2.9.23

2.9.24

2.9.25

2.9.26

2.9.27

2.9.28

2.9.29

2.10.0

2.10.1

2.10.2

2.11.0-rc.0

2.11.0-rc.1

2.11.0-rc.2

2.11.0-rc.3

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.11.5

2.11.6

2.11.7

2.11.8

2.11.9

2.11.10

2.11.11

2.12.0

2.12.1

2.13.0

2.13.1

2.13.2

2.13.3

2.13.4

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.14.5

2.14.6

2.14.7

2.14.8

2.14.9

2.14.10

2.14.11

2.14.12

2.14.13

2.14.14

2.14.15

2.14.16

2.14.17

2.14.18

2.14.19

2.14.20

2.14.21

2.15.0

2.15.1

2.15.2

2.15.4

2.15.5

2.15.6

2.15.7

2.15.8

2.15.9

2.15.10

2.15.11

2.15.12

2.15.13

2.15.14

2.15.15

2.15.16

2.15.17

2.15.18

2.15.19

2.15.20

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.17.3

2.17.4

2.17.5

2.17.6

2.17.7

2.17.8

2.17.9

2.17.10

2.17.11

2.17.12

2.17.13

2.17.14

2.17.15

2.17.16

2.17.17

2.17.18

2.17.19

2.17.20

2.17.21

2.17.22

2.17.23

2.17.24

2.18.0

2.18.1

2.18.2

2.19.0

2.19.1

2.19.2

2.19.3

2.19.4

2.19.5

2.19.6

2.19.7

2.19.8

2.19.9

2.19.10

2.19.11

2.19.12

2.19.13

2.19.14

2.20.0

2.20.1

2.20.2

2.20.3

2.21.0

2.21.1

2.21.2

2.21.3

2.21.4

2.21.5

2.21.6

2.21.7

2.21.8

2.21.9

2.21.10

2.21.11

2.21.12

2.21.13

2.21.14

2.21.15

3.*

3.0.0-rc.0

3.0.0-rc.1

3.0.0-rc.3

3.0.0-rc.4

3.0.0-rc.5

3.0.0-rc.6

3.0.0-rc.7

3.0.0-rc.8

3.0.0-rc.9

3.0.0-rc.10

3.0.0-rc.11

3.0.0-rc.12

3.0.0-rc.13

3.0.0-rc.14

3.0.0-rc.15

3.0.0-rc.16

3.0.0-rc.17

3.0.0-rc.18

3.0.0-rc.19

3.0.0-rc.20

3.0.0-rc.21

3.0.0-rc.22

3.0.0-rc.23

3.0.0-rc.24

3.0.0-rc.25

3.0.0-rc.26

3.0.0-rc.27

3.0.0-rc.28

3.0.0-rc.29

3.0.0-rc.31

3.0.0-rc.32

3.0.0-rc.33

3.0.0-rc.34

3.0.0-rc.35

3.0.0-rc.36

3.0.0-rc.37

3.0.0-rc.38

3.0.0-rc.39

3.0.0-rc.40

3.0.0-rc.41

3.0.0-rc.42

3.0.0-rc.43

3.0.0-rc.44

3.0.0-rc.45

3.0.0-rc.46

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.3.0

3.3.1

3.3.2

3.3.3

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.4.9

3.4.10

3.4.11

3.4.12

3.4.13

3.4.14

3.4.15

3.4.16

3.4.17

3.4.18

3.4.19

3.4.20

3.4.21

3.4.22

3.4.23

3.4.24

3.4.25

3.4.26

3.4.27

3.4.28

3.4.29

3.4.30

3.4.31

3.4.32

3.4.33

3.4.34

3.4.35

3.4.36

3.4.37

3.4.38

3.4.39

3.4.40

3.4.41

3.4.42

3.4.43

3.4.44

3.4.45

3.4.46

3.4.47

3.4.48

3.4.49

3.4.50

3.4.51

3.4.52

3.4.53

3.4.54

3.4.55

3.4.56

3.4.57

3.4.58

3.4.59

3.4.60

3.4.61

3.4.62

3.4.63

3.4.64

3.4.65

3.4.66

3.4.67

3.4.68

3.4.69

3.4.70

3.4.71

3.4.72

3.4.73

3.4.74

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12

3.5.13

3.5.14

3.5.15

3.5.16

3.5.17

3.5.18

3.5.19

3.5.20

3.5.21

3.5.22

3.5.23

3.5.24

3.5.25

3.5.26

3.5.27

3.5.28

3.5.29

3.5.30

3.5.31

3.5.32

3.5.33

3.5.34

3.5.35

3.5.36

3.5.37

3.5.38

3.5.39

3.5.40

3.5.41

3.5.42

3.5.43

3.6.0

3.6.1

3.6.2

3.6.3

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.8.0

3.9.0

3.10.0

3.10.1

3.11.0

3.11.1

3.11.2

3.11.3

3.12.0

3.13.0

3.13.1

3.13.2

3.14.0

3.14.1

3.15.0

3.16.0

3.17.0

3.17.1

3.18.0

3.19.0

3.19.1

3.19.2

3.19.3

3.20.0

3.21.0

3.21.1

3.21.2

3.21.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jjf9-w5vj-r6vp/GHSA-jjf9-w5vj-r6vp.json"

last_known_affected_version_range

"<= 3.21.3"