Home

Description

Uncontrolled Resource Consumption vulnerability in oban-bg oban_web ('Elixir.Oban.Web.CronExpr' modules) allows memory exhaustion via unbounded cron range expansion. An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 * *". When a user with dashboard access views the cron job list, 'Elixir.Oban.Web.CronExpr':describe/1 is called to render the expression. parse_range/1 parses both range endpoints via Integer.parse/1 with no bounds check, and the downstream helpers expand_dom_parts/1 and expand_dow_parts/1 materialise the range eagerly via Enum.to_list/1, causing allocation of ~2.4 GB and stalling or crashing the BEAM node. A sibling helper extract_dom_values already validates range bounds, but the expansion helpers do not. This issue affects oban_web: from 2.12.0 before 2.12.5.

PUBLISHED Reserved 2026-05-22 | Published 2026-05-26 | Updated 2026-05-27 | Assigner EEF




MEDIUM: 5.9CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-400 Uncontrolled Resource Consumption

Product status

Default status
unaffected

2.12.0 (semver) before 2.12.5
affected

Default status
unaffected

a97c7960bb389b05aaab4cf8042985f02ceddc24 (git) before 9998b7e284e02fdd4645dd6231760038e63b584d
affected

Credits

Peter Ullrich finder

Shannon Selbert remediation developer

Jonatan Männchen / EEF analyst

References

github.com/...an_web/security/advisories/GHSA-6xh2-93p9-vqh4 vendor-advisory related

cna.erlef.org/cves/CVE-2026-48593.html related

osv.dev/vulnerability/EEF-CVE-2026-48593 related

github.com/...ommit/9998b7e284e02fdd4645dd6231760038e63b584d patch

cve.org (CVE-2026-48593)

nvd.nist.gov (CVE-2026-48593)

Download JSON