CVE-2019-16764

PowAssent is susceptible to denial of service attacks

Description

The use of `String.to_atom/1` in PowAssent is susceptible to denial of service attacks. In `PowAssent.Phoenix.AuthorizationController` a value is fetched from the user provided params, and `String.to_atom/1` is used to convert the binary value to an atom so it can be used to fetch the provider configuration value. This is unsafe as it is user provided data, and can be used to fill up the whole atom table of ~1M which will cause the app to crash.

Remediation

Workaround:

  • A plug can be used to validate conn.params["provider"] before it reaches the PowAssent.Phoenix.AuthorizationController.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.44%
Third-Party Advisory github.com
Affected: pow-auth pow_assent
Published at:
Updated at:

References

Link Tags
https://github.com/pow-auth/pow_assent/security/advisories/GHSA-368c-xvrv-x986 third party advisory
https://hex.pm/packages/pow_assent release notes
http://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1 product
https://github.com/pow-auth/pow_assent/commit/026105eeecc0e3c2f807e7109e745ea93c0fd9cf patch

Frequently Asked Questions

What is the severity of CVE-2019-16764?
CVE-2019-16764 has been scored as a medium severity vulnerability.
How to fix CVE-2019-16764?
As a workaround for remediating CVE-2019-16764: A plug can be used to validate conn.params["provider"] before it reaches the PowAssent.Phoenix.AuthorizationController.
Is CVE-2019-16764 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2019-16764 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-16764?
CVE-2019-16764 affects pow-auth pow_assent.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.