Sharing a recent episode of BEAM There, Done That that covers something directly relevant to this community: the state of vulnerability disclosure infrastructure for the BEAM ecosystem, and what’s changed in the last few months.
Peter Ullrich has been systematically scanning Hex packages using Claude and has uncovered a significant number of vulnerabilities across widely-used libraries - decimal, Bandit, and others. Jonathan Machen, who runs the EEF CNA, joins to describe the coordination side: how reports are triaged, how maintainers are contacted, how CVEs get published to OSV.dev and eventually surfaced through the Hex CLI.
From an Erlang perspective, the two most common vulnerability patterns turning up are:
Atom table exhaustion - any code path reachable by external input that calls binary_to_existing_atom/2’s unsafe sibling, or that passes untrusted data to binary_to_term/2 without the [:safe] option. The Beam’s atom table is finite and non-garbage-collected. A patient attacker can exhaust it silently over days.
Unbounded buffering in HTTP/WebSocket implementations - sending data without a terminator and relying on the server to impose limits that weren’t written in.
The episode also covers the OTP-level picture: the EEF now has more control over CVE metadata for OTP vulnerabilities than GitHub’s automated tooling previously allowed, which means more precise advisories and better downstream tooling support.
Jonathan is candid that the current infrastructure wasn’t designed for the volume Peter is generating, and that improving the tooling and process automation is the near-term priority before expanding the team.
Worth a listen for anyone maintaining Erlang libraries or responsible for systems built on OTP.
