Danschultzer

**Name of the Vulnerable Software and Affected Versions** PowAssent (affected versions not specified) **Description** The use of `String.to atom/1` in PowAssent is susceptible to denial of service attacks. In `PowAssent.Phoenix.AuthorizationController`, a value is fetched from the user-provided params, and `String.to atom/1` is used to convert the binary value to an atom so it can be used to fetch the provider configuration value. This is unsafe as it is user-provided data, and can be used to fill up the whole atom table of ~1M, which will cause the app to crash. **Recommendations** As a temporary workaround, consider disabling the `String.to atom/1` function in `PowAssent.Phoenix.AuthorizationController` until a patch is available. Restrict access to the `PowAssent.Phoenix.AuthorizationController` to minimize the risk of exploitation. Avoid using user-provided data to convert binary values to atoms in the affected controller until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.