Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.
Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of "variation_id"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.
This issue affects phoenix_storybook from 0.2.0 before 1.1.0.
AnalysisAI
Unauthenticated denial-of-service in phenixdigital phoenix_storybook (0.2.0 through versions before 1.1.0) lets a remote attacker crash the entire BEAM virtual machine by exhausting its atom table. Multiple LiveView event handlers in ExtraAssignsHelpers feed user-controlled strings into String.to_atom/1, and because BEAM atoms are never garbage-collected, ~1,048,576 unique attacker-supplied keys/values permanently consume the atom table and abort every application running on that node. No public exploit identified at time of analysis, but the upstream fix is in commit 96d5246 and version 1.1.0.
Technical ContextAI
Phoenix Storybook is an Elixir/Phoenix LiveView component catalog (analogous to JavaScript Storybook) developed by phenixdigital and used in development and demo deployments of Phoenix applications. The bug is a textbook CWE-770 (Allocation of Resources Without Limits or Throttling) against an Erlang/Elixir runtime property: atoms in the BEAM VM are interned in a fixed-size, non-garbage-collected table whose default ceiling is 1,048,576 entries. The vulnerable functions PhoenixStorybook.ExtraAssignsHelpers.handle_set_variation_assign/3, handle_toggle_variation_assign/3, to_variation_id/2, and to_value/4 each call String.to_atom/1 on attacker-controlled keys or values from psb-assign, psb-toggle, and variation_id LiveView events; the Playground LiveView additionally interned tab names and theme names. The patch replaces these with String.to_existing_atom/1, lookups against a fixed whitelist (theme_from_param, tab_from_param, to_atom_value with declared :values), or explicit attr_from_param resolution so unknown user input cannot create new atoms.
RemediationAI
Upgrade phoenix_storybook to 1.1.0 or later, which contains upstream commit 96d524690af0fe197a49f60d18e564a620b9ef81 replacing every unguarded String.to_atom/1 call with either String.to_existing_atom/1 or whitelist lookups against declared attribute :values, theme IDs, and tab names; see https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q and https://cna.erlef.org/cves/CVE-2026-8469.html. If immediate upgrade is not possible, restrict access to the storybook router scope (typically mounted via storybook_assets/storybook routes in your Phoenix router) so it is only reachable from trusted networks or behind authenticated reverse-proxy rules - this is appropriate for most deployments since Phoenix Storybook is intended as a development/design tool rather than a public surface. As a defense-in-depth measure, raise the BEAM atom table ceiling via the +t emulator flag and monitor :erlang.system_info(:atom_count) so node-wide exhaustion is detected before collapse, with the trade-off that this only delays rather than prevents the DoS.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31114
GHSA-833p-95jq-929q