CVE-2026-34593
Description
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ashHex | < 3.22.0 | 3.22.0 |
Affected products
1Patches
17031103da38cfix: remove `Module.concat` from `Ash.Type.Module.cast_input/2`
1 file changed · +0 −10
lib/ash/type/module.ex+0 −10 modified@@ -102,16 +102,6 @@ defmodule Ash.Type.Module do def cast_input("", _), do: {:ok, nil} - def cast_input("Elixir." <> _ = value, _) do - module = Module.concat([value]) - - if Code.ensure_loaded?(module) do - {:ok, module} - else - :error - end - end - def cast_input(value, _) when is_binary(value) do atom = String.to_existing_atom(value)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-jjf9-w5vj-r6vpghsaADVISORY
- github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vpnvdVendor AdvisoryExploitWEB
- nvd.nist.gov/vuln/detail/CVE-2026-34593ghsaADVISORY
- github.com/ash-project/ash/commit/7031103da38cd1366cec8c96d6bcdc9b989aa3c2ghsaWEB
- github.com/ash-project/ash/releases/tag/v3.22.0nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.