Resource exhaustion in Ash-project Ash

CVE-2026-34593

Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.000 (7.4th percentile) — read the EPSS interpretation.

Affected products

Ash-project Ash — versions < 3.22.0

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp (x_refsource_CONFIRM)
https://github.com/ash-project/ash/releases/tag/v3.22.0 (x_refsource_MISC)