Listen to this Post
How the mentioned CVE works
The vulnerability resides in `Plug.Cowboy.Conn` and allows an unauthenticated remote attacker to permanently exhaust the BEAM atom table, causing the entire Erlang VM to crash. The root cause is the unsafe conversion of client‑supplied HTTP/2 `:scheme` pseudo‑header values into atoms with no validation or rate limiting.
When an HTTP/2 request is received, `Plug.Cowboy.Conn.conn/1` calls `String.to_atom/1` on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, Cowlib passes the `:scheme` pseudo‑header value verbatim without any sanitisation. Each unique `:scheme` value triggers the creation of a new atom in the atom table.
Atoms in the Erlang VM are never garbage‑collected, and the atom table has a fixed upper limit (default 1,048,576 entries). Because no limits are placed on the `:scheme` values, an attacker can send a large number of distinct `:scheme` strings until the table is exhausted. Once the limit is reached, the VM aborts with a `system_limit` error, taking down the entire node.
This vulnerability affects all versions of `plug_cowboy` from 2.0.0 up to but not including 2.8.1, where the issue has been fixed. It does not affect HTTP/1.1 connections, because in that case the scheme is derived from the listener type rather than from the client.
A direct HTTPS endpoint exposed without a proxy is vulnerable. However, if a proxy (many of which use HTTP/1.1 internally) is in place, the risk may be reduced. Applications using alternative HTTP adapters such as Bandit are not affected.
dailycve form
Platform: Plug.Cowboy Elixir
Version: 2.0.0-2.8.0
Vulnerability: Atom Table Exhaustion
Severity: High (8.7)
Date: 2026-04-27
Prediction: Patch available 2026-04-27 (v2.8.1)
Analytics under What Undercode Say
Check current plug_cowboy version
mix deps.tree | grep plug_cowboy
Validate atom table state (run inside an IEx session)
:erlang.system_info(:atom_count) / :erlang.system_info(:atom_limit) 100
Simulate a single malformed HTTP/2 request using h2spec or curl with HTTP/2
curl --http2 -H ":scheme: unique-scheme-value" https://vulnerable-host:443/
Monitor atom table usage in real time
watch -n 1 'curl -s http://localhost:4000/atom-stats 2>/dev/null | jq .'
Quick workaround (disable HTTP/2 for the listener)
Add to your Plug.Cowboy configuration:
protocol_options: %{protocols: [:http]}
Exploit
An attacker sends a high volume of HTTP/2 requests, each with a distinct, arbitrary `:scheme` pseudo‑header. Because the application unconditionally converts every new `:scheme` into an atom, the atom table is exhausted after approximately 1,048,576 unique values. Once the table is full, the Erlang VM crashes with system_limit, causing a complete denial of service for all services running on that node. The attack can be launched remotely with no authentication, and it leaves the node unusable until a restart.
Protection from this CVE
- Immediate upgrade to `plug_cowboy` version 2.8.1 or later.
- Workaround: Disable HTTP/2 on the `Plug.Cowboy.https/3` listener by passing `protocol_options: %{protocols: [:http]}` (this restricts the listener to HTTP/1.1, where the scheme is not attacker‑controlled).
- Network mitigation: Place a reverse proxy that speaks HTTP/1.1 to the backend, thereby stripping the `:scheme` pseudo‑header before it reaches the vulnerable code.
- Monitoring: Keep an eye on the atom table size using `:erlang.system_info(:atom_count)` and alert when it approaches the limit.
Impact
The vulnerability allows an unauthenticated remote attacker to crash the entire Erlang VM (BEAM) with a single‑sided resource exhaustion attack. This results in a complete denial of service for every application hosted on the same node. No data integrity or confidentiality is affected, but service availability is destroyed until manual intervention (restart) is performed. The CVSS 4.0 score is 8.7 (High), reflecting the low attack complexity and the complete loss of availability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
