Shannon Selbert

**Name of the Vulnerable Software and Affected Versions** oban web versions 2.12.0 through 2.12.4 **Description** Uncontrolled Resource Consumption in the `Elixir.Oban.Web.CronExpr` module allows memory exhaustion through unbounded cron range expansion. An attacker with permissions to schedule cron jobs can submit a malicious cron expression. When a user with dashboard access views the cron job list, the `describe/1` function is called to render the expression. The `parse range/1` function parses range endpoints using `Integer.parse/1` without bounds checks, and the `expand dom parts/1` and `expand dow parts/1` helpers eagerly materialize the range via `Enum.to list/1`. This process can lead to the allocation of approximately 2.4 GB of memory, resulting in the stalling or crashing of the BEAM node (the Erlang Virtual Machine). **Recommendations** Update oban web to version 2.12.5.