Atom Exhaustion DoS in MDEx via Untrusted JSON Input

Executive Summary

CVE-2026-53426 is a vulnerability in the MDEx library affecting versions 0.4.3 through 0.13.1. It occurs in the MDEx.parse_document/2 function when processing JSON input. The vulnerability arises because the private function json_to_node/1 converts an attacker-controlled node_type string into an atom using String.to_atom/1. Atoms in the Erlang BEAM VM are never garbage collected, so each unique node_type creates a permanent atom.

An attacker can craft a JSON document with many unique node_type values at deeply nested nodes, causing the system to create hundreds of thousands of atoms. This exhausts the atom table limit (around 1,048,576 atoms), causing the Erlang VM to abort and resulting in a denial-of-service (DoS) that takes down all processes on the node.

Any application passing untrusted input to the {:json, ...} source of MDEx.parse_document/2 is vulnerable to this unauthenticated DoS attack.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in MDEx allows an unauthenticated attacker to cause a denial-of-service by exhausting the Erlang VM atom table, which results in the entire node crashing and all processes being taken down.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the denial-of-service impact could affect availability requirements that are part of many security and privacy regulations.

Specifically, regulations like GDPR and HIPAA require ensuring the availability and resilience of systems processing personal or sensitive data. A denial-of-service vulnerability that can crash the entire system may lead to non-compliance with these availability requirements.

However, since the vulnerability does not directly involve data leakage or unauthorized access, its primary compliance impact is related to system availability rather than confidentiality or integrity.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by exhausting the Erlang VM's atom table. When the atom table is exhausted, the entire Erlang VM aborts, which crashes all processes running on the node.

As a result, any application using the vulnerable MDEx library and passing untrusted JSON input to MDEx.parse_document/2 with the {:json, ...} source can be taken down by an attacker without authentication.

This impacts system availability severely, potentially causing downtime and service disruption.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when the MDEx.parse_document/2 function processes untrusted JSON input containing attacker-controlled node_type values, which leads to excessive atom creation and eventual exhaustion of the Erlang VM atom table.

Detection involves monitoring the Erlang VM for signs of atom table exhaustion or abnormal crashes related to the MDEx library when parsing JSON input.

Since the vulnerability is triggered by crafted JSON documents with many unique node_type values, you can detect attempts by observing logs or network traffic for unusually large or deeply nested JSON payloads sent to applications using MDEx.parse_document/2 with the {:json, ...} source.

There are no specific commands provided in the resources to detect this vulnerability directly.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to avoid passing untrusted or attacker-controlled input to the {:json, ...} source of MDEx.parse_document/2.

If possible, switch to using the {:markdown, ...} source instead, which is not affected by this vulnerability.

Upgrade the MDEx library to version 0.13.2 or later, where the vulnerability has been fixed by replacing unsafe atom creation with a safe method that prevents atom table exhaustion.

Useful 0 Not Useful 0