Parsing untrusted input with Code.string_to_quoted!/1 can create new atoms for identifiers, literal atoms, and keyword keys.
Since atoms are not garbage-collected in the BEAM, an attacker can send input that generates many unique atoms, eventually exhausting the atom table and crashing the VM.
Solution:
Use existing_atoms_only: true and/or a strict static_atoms_encoder to reject or whitelist allowed atoms.
Parsing untrusted input with
Code.string_to_quoted!/1can create new atoms for identifiers, literal atoms, and keyword keys.Since atoms are not garbage-collected in the BEAM, an attacker can send input that generates many unique atoms, eventually exhausting the atom table and crashing the VM.
Solution:
Use
existing_atoms_only: trueand/or a strictstatic_atoms_encoderto reject or whitelist allowed atoms.