23 matches found
CVE-2026-55736 Private action arguments can be set by user input in Ash
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant t...
CVE-2026-34593
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the...
CVE-2026-34593
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the...
CVE-2026-34593 Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the...
CVE-2026-34593
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the...
CVE-2026-34593 Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the...
CVE-2026-34593
This CVE affects Ash Framework (Elixir) where Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for inputs starting with "Elixir." before module existence is verified. The atom creation can exhaust BEAM’s atom table (default ~1,048,576 entries) and ...
Ash Framework 资源管理错误漏洞
Ash Framework is an open-source framework used for building Elixir applications. Versions of Ash Framework prior to 3.22.0 contained a resource management vulnerability. This vulnerability stems from Ash.Type.Module.castinput/2, which “Elixir.”, thereby creating new Erlang atoms. This could lead ...
GHSA-JJF9-W5VJ-R6VP Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
Summary Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has ...
CVE-2025-48044
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/[email protected] before pkg:hex/[email protected]...
Ash Framework 安全漏洞
Ash Framework is an Ash Framework open source framework for building Elixir applications. A security vulnerability exists in Ash Framework version 3.6.3 through versions prior to 3.7.1, which stems from improper authorization and could lead to authentication bypass...
Ash Framework: Filter authorization misapplies impossible bypass/runtime policies
Summary When using filter authorization, two edge cases could cause the policy compiler/authorizer to generate a permissive filter: 1. Bypass policies whose condition can never pass at runtime were compiled as ORANDcondition, compiledpolicies, NOTcondition. If the condition could never be true at...
CVE-2025-48043
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strictfilters/2. This issue affects ash: from pkg:hex/ash@0 before...
Ash Framework 安全漏洞
Ash Framework is an Ash Framework open source framework for building Elixir applications. A security vulnerability exists in Ash Framework versions prior to 3.6.2 that stems from improper authorization and could lead to authentication bypass...
EUVD-2024-3055
Malicious code in bioql PyPI...
GHSA-JJ4J-X5WW-CWH9 Before action, Ash's hooks may execute in certain scenarios despite a request being forbidden
Summary Certain bulk action calls with a beforetransaction hook and no aftertransaction hook, will call the beforetransaction hook before authorization is checked and a Forbidden error is returned, when called as a bulk action. The impact is that a malicious user could cause a beforetransaction t...
Incorrect Authorization
Overview ash is an A declarative, extensible framework for building Elixir applications. Affected versions of this package are vulnerable to Incorrect Authorization when running a bulk of action calls with a beforetransaction hook and no aftertransaction hook. A malicious user could cause a...
CVE-2025-48042
CVE-2025-48042 (ash) is an Incorrect Authorization vulnerability affecting ash where running a bulk action with a before_transaction hook and no after_transaction hook could cause a before_transaction to execute before authorization is checked. Affected versions are ash from pkg:hex/ash prior to ...
EEF-CVE-2025-48042 Before action hooks may execute in certain scenarios despite a request being forbidden
Summary Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program...
Ash Framework 安全漏洞
Ash Framework is an Ash Framework open source framework for building Elixir applications. A security vulnerability exists in Ash Framework versions prior to 3.5.39 that stems from improper authorization and could lead to an access control bypass...