An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 * *". When a user with dashboard access views the cron job list, 'Elixir.Oban.Web.CronExpr':describe/1 is called to render the expression. parse_range/1 parses both range endpoints via Integer.parse/1 with no bounds check, and the downstream helpers expand_dom_parts/1 and expand_dow_parts/1 materialise the range eagerly via Enum.to_list/1, causing allocation of ~2.4 GB and stalling or crashing the BEAM node. A sibling helper extract_dom_values already validates range bounds, but the expansion helpers do not.
This issue affects oban_web: from 2.12.0 before 2.12.5.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-6xh2-93p9-vqh4 | oban_web: Unbounded range expansion in cron describe causes memory exhaustion |
Tue, 26 May 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 26 May 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Uncontrolled Resource Consumption vulnerability in oban-bg oban_web ('Elixir.Oban.Web.CronExpr' modules) allows memory exhaustion via unbounded cron range expansion. An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 * *". When a user with dashboard access views the cron job list, 'Elixir.Oban.Web.CronExpr':describe/1 is called to render the expression. parse_range/1 parses both range endpoints via Integer.parse/1 with no bounds check, and the downstream helpers expand_dom_parts/1 and expand_dow_parts/1 materialise the range eagerly via Enum.to_list/1, causing allocation of ~2.4 GB and stalling or crashing the BEAM node. A sibling helper extract_dom_values already validates range bounds, but the expansion helpers do not. This issue affects oban_web: from 2.12.0 before 2.12.5. | |
| Title | Unbounded range expansion in cron describe causes memory exhaustion in oban_web | |
| First Time appeared |
Oban Web Project
Oban Web Project oban Web |
|
| Weaknesses | CWE-400 | |
| CPEs | cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Oban Web Project
Oban Web Project oban Web |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: EEF
Published:
Updated: 2026-05-27T15:40:57.317Z
Reserved: 2026-05-22T09:36:56.834Z
Link: CVE-2026-48593
Updated: 2026-05-26T20:46:21.859Z
Status : Deferred
Published: 2026-05-26T21:16:41.857
Modified: 2026-06-17T10:55:08.377
Link: CVE-2026-48593
No data.
OpenCVE Enrichment
Updated: 2026-05-27T10:08:39Z
Github GHSA