Peter Ulrich

**Name of the Vulnerable Software and Affected Versions** plug cowboy versions 2.0.0 through 2.8.0 **Description** An unauthenticated remote attacker can cause a denial of service via atom table exhaustion. In HTTP/2 connections, the `Plug.Cowboy.Conn.conn/1` function in `lib/plug/cowboy/conn.ex` calls `String.to atom/1` on the value returned by `:cowboy req.scheme/1`. Because cowlib passes the client-supplied `:scheme` pseudo-header value without validation, each unique value creates a permanent entry in the BEAM atom table. Since atoms are not garbage-collected and the table has a fixed limit, sending requests with unique `:scheme` values can exhaust the table, causing the Erlang VM to abort with a system limit and crashing the node. This issue does not affect HTTP/1.1. **Recommendations** Update to version 2.8.1. As a temporary workaround, disable HTTP/2 on the Plug.Cowboy.https/3 listener by passing `protocol options: %{protocols: [:http]}` in the cowboy options to restrict the listener to HTTP/1.1.