Medium severity5.3NVD Advisory· Published Apr 4, 2024· Updated Apr 15, 2026
CVE-2024-31209
CVE-2024-31209
Description
oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling oidcc_provider_configuration_worker:get_provider_configuration/1 or oidcc_provider_configuration_worker:get_jwks/1. This issue has been patched in version(s)3.1.2 & 3.2.0-beta.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oidccHex | >= 3.0.0, < 3.0.2 | 3.0.2 |
oidccHex | >= 3.1.0, < 3.1.2 | 3.1.2 |
oidccHex | >= 3.2.0-beta.1, < 3.2.0-beta.3 | 3.2.0-beta.3 |
Patches
32f304d877c7eMerge pull request from GHSA-mj35-2rgf-cv8p
1 file changed · +3 −4
src/oidcc_provider_configuration_worker.erl+3 −4 modified@@ -352,16 +352,15 @@ lookup_in_ets_or_call(Name, Key, Call) -> -spec get_ets_table_name(WorkerRef :: gen_server:server_ref()) -> {ok, gen_server:server_ref()} | error. -get_ets_table_name(WorkerName) when is_atom(WorkerName) -> - {ok, erlang:list_to_atom(erlang:atom_to_list(WorkerName) ++ "_table")}; +get_ets_table_name(Name) when is_atom(Name) -> + {ok, Name}; get_ets_table_name(_Ref) -> error. -spec register_ets_table(Opts :: opts()) -> ets:table() | undefined. register_ets_table(Opts) -> case maps:get(name, Opts, undefined) of - {local, WorkerName} -> - Name = erlang:list_to_atom(erlang:atom_to_list(WorkerName) ++ "_table"), + {local, Name} -> ets:new(Name, [named_table, bag, protected, {read_concurrency, true}]); _OtherName -> undefined
ac458ed88dc2Merge pull request from GHSA-mj35-2rgf-cv8p
1 file changed · +3 −4
src/oidcc_provider_configuration_worker.erl+3 −4 modified@@ -382,16 +382,15 @@ lookup_in_ets_or_call(Name, Key, Call) -> -spec get_ets_table_name(WorkerRef :: gen_server:server_ref()) -> {ok, gen_server:server_ref()} | error. -get_ets_table_name(WorkerName) when is_atom(WorkerName) -> - {ok, erlang:list_to_atom(erlang:atom_to_list(WorkerName) ++ "_table")}; +get_ets_table_name(Name) when is_atom(Name) -> + {ok, Name}; get_ets_table_name(_Ref) -> error. -spec register_ets_table(Opts :: opts()) -> ets:table() | undefined. register_ets_table(Opts) -> case maps:get(name, Opts, undefined) of - {local, WorkerName} -> - Name = erlang:list_to_atom(erlang:atom_to_list(WorkerName) ++ "_table"), + {local, Name} -> ets:new(Name, [named_table, bag, protected, {read_concurrency, true}]); _OtherName -> undefined
48171fb62688Merge pull request from GHSA-mj35-2rgf-cv8p
1 file changed · +3 −4
src/oidcc_provider_configuration_worker.erl+3 −4 modified@@ -352,16 +352,15 @@ lookup_in_ets_or_call(Name, Key, Call) -> -spec get_ets_table_name(WorkerRef :: gen_server:server_ref()) -> {ok, gen_server:server_ref()} | error. -get_ets_table_name(WorkerName) when is_atom(WorkerName) -> - {ok, erlang:list_to_atom(erlang:atom_to_list(WorkerName) ++ "_table")}; +get_ets_table_name(Name) when is_atom(Name) -> + {ok, Name}; get_ets_table_name(_Ref) -> error. -spec register_ets_table(Opts :: opts()) -> ets:table() | undefined. register_ets_table(Opts) -> case maps:get(name, Opts, undefined) of - {local, WorkerName} -> - Name = erlang:list_to_atom(erlang:atom_to_list(WorkerName) ++ "_table"), + {local, Name} -> ets:new(Name, [named_table, bag, protected, {read_concurrency, true}]); _OtherName -> undefined
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-mj35-2rgf-cv8pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-31209ghsaADVISORY
- erlef.github.io/security-wg/secure_coding_and_deployment_hardening/atom_exhaustion.htmlghsaWEB
- github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erlnvdWEB
- github.com/erlef/oidcc/commit/2f304d877c7e0613d6fd952d7feacbf40dbc355cnvdWEB
- github.com/erlef/oidcc/commit/48171fb62688fb4eec1ead0884aa501e0aa68649nvdWEB
- github.com/erlef/oidcc/commit/ac458ed88dc292aad6fa7343f6a53e73c560fb1anvdWEB
- github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8pnvdWEB
News mentions
0No linked articles in our index yet.