CVE-2026-48593

Published: Mag 26, 2026 Last Modified: Mag 26, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,9

Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: passive

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Uncontrolled Resource Consumption vulnerability in oban-bg oban_web ('Elixir.Oban.Web.CronExpr' modules) allows memory exhaustion via unbounded cron range expansion.

An attacker with access to schedule cron jobs can submit a malicious cron expression such as '0 0 1-100000000 * *'. When a user with dashboard access views the cron job list, 'Elixir.Oban.Web.CronExpr':describe/1 is called to render the expression. parse_range/1 parses both range endpoints via Integer.parse/1 with no bounds check, and the downstream helpers expand_dom_parts/1 and expand_dow_parts/1 materialise the range eagerly via Enum.to_list/1, causing allocation of ~2.4 GB and stalling or crashing the BEAM node. A sibling helper extract_dom_values already validates range bounds, but the expansion helpers do not.

This issue affects oban_web: from 2.12.0 before 2.12.5.

400

Uncontrolled Resource Consumption

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Access Control Other

Potential Impacts:

Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other) Bypass Protection Mechanism Other