Intel

AIKIDO-2026-343532

mdex is vulnerable to Atom Exhaustion

Atom ExhaustionCVE-2026-53426 Published Jul 2, 2026

82

High Risk

This Affects:

ELIXIRmdex
0.4.3 - 0.13.1
Fixed in 0.13.2
Are you affected? Scan for Free

TL;DR

MDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node. A single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

mdex is vulnerable to Atom Exhaustion in versions 0.4.3 - 0.13.1.

How to fix this

Upgrade the mdex library to the patch version.