CVE-2026-8469

Description

Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: Elixir.PhoenixStorybook.ExtraAssignsHelpers:handle_set_variation_assign/3 interns every key of the psb-assign params map; Elixir.PhoenixStorybook.ExtraAssignsHelpers:handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; Elixir.PhoenixStorybook.ExtraAssignsHelpers:to_variation_id/2 interns elements of "variation_id"; and Elixir.PhoenixStorybook.ExtraAssignsHelpers:to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it. This issue affects phoenix_storybook from 0.2.0 before 1.1.0.