How to fix Unrestricted Resource Consumption
in Phoenix
Executive Summary
Phoenix applications running on the BEAM are resilient, but they are not immune to resource exhaustion. Unrestricted resource consumption occurs when an attacker can trigger excessive CPU, memory, or disk usage—often through unbounded pagination, massive file uploads, or complex regex. In Elixir, while processes are isolated, an OOM (Out of Memory) event can still kill the entire node. Harden your endpoints by enforcing strict limits on every user-controlled input that dictates workload.
The Vulnerable Pattern
def index(conn, %{"limit" => limit}) do # VULNERABLE: Direct use of user-supplied limit in a database query # An attacker can pass limit=10000000 to exhaust memory products = Repo.all(from p in Product, limit: ^limit) render(conn, "index.json", products: products) endAlso vulnerable in endpoint.ex if length is not set:
plug Plug.Parsers, parsers: [:urlencoded, :multipart, :json], pass: [”/”], json_decoder: Phoenix.json_library()
The Secure Implementation
The vulnerability stems from trusting the user to define the scale of the operation. To mitigate this: 1. Pagination: Always clamp 'limit' or 'page_size' parameters to a hard-coded maximum using `min/2`. 2. Request Body: Configure `Plug.Parsers` with a `length` option to prevent massive payloads from consuming memory during parsing. 3. Timeouts: Ensure database queries have strict `timeout` values in Ecto to prevent long-running queries from hanging processes. 4. Rate Limiting: Use libraries like `Hammer` or `ExRated` to prevent a single client from flooding the system with resource-heavy requests.
@max_page_size 100def index(conn, %{“limit” => limit}) do
SECURE: Validate, cast, and clamp the resource-intensive parameter
safe_limit = case Integer.parse(limit) do {val, _} -> min(val, @max_page_size) _ -> @max_page_size end
products = Repo.all(from p in Product, limit: ^safe_limit) render(conn, “index.json”, products: products) end
SECURE: Enforce body length limits in endpoint.ex
plug Plug.Parsers, parsers: [:urlencoded, :multipart, :json], length: 10_000_000, # Max 10MB json_decoder: Phoenix.json_library()
Your Phoenix API
might be exposed to Unrestricted Resource Consumption
74% of Phoenix apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.