GHSA-HX9W-F2W9-9G96

Vulnerability from github – Published: 2026-03-01 01:25 – Updated: 2026-04-06 23:15
VLAI?
Summary
hex_core has Unsafe Deserialization of Erlang Terms
Details

Impact

The Hex client (hex_core) deserializes Erlang terms received from the Hex API using binary_to_term/1 without sufficient restrictions.

If an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as atom table exhaustion, leading to a VM crash. No released versions are known to allow remote code execution.

Patches

  • https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
  • https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
  • https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d

Workarounds

Ensure that the Hex API URL (HEX_API_URL) points only to trusted endpoints. There is no client-side workaround that fully mitigates this issue without applying the patch.

Resources

  • hex_core Module: https://github.com/hexpm/hex_core/blob/main/src/hex_api.erl
  • Hex Vendored Module: https://github.com/hexpm/hex/blob/main/src/mix_hex_api.erl
  • Rebar3 Vendored Module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendored/r3_hex_api.erl
  • hex_core Patch: https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
  • Hex Vendored Patch: https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
  • Rebar3 Vendored Patch: https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
Severity ?
2.0 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "hex_core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21619"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-01T01:25:35Z",
    "nvd_published_at": "2026-02-27T18:16:11Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nThe Hex client (`hex_core`) deserializes Erlang terms received from the Hex API using `binary_to_term/1` without sufficient restrictions.\n\nIf an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as **atom table exhaustion**, leading to a VM crash. No released versions are known to allow remote code execution.\n\n### Patches\n\n* https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13\n* https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95\n* https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d\n\n### Workarounds\n\nEnsure that the Hex API URL (`HEX_API_URL`) points only to trusted endpoints. There is no client-side workaround that fully mitigates this issue without applying the patch.\n\n### Resources\n\n* hex_core Module: https://github.com/hexpm/hex_core/blob/main/src/hex_api.erl\n* Hex Vendored Module: https://github.com/hexpm/hex/blob/main/src/mix_hex_api.erl\n* Rebar3 Vendored Module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendored/r3_hex_api.erl\n* hex_core Patch: https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13\n* Hex Vendored Patch: https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95\n* Rebar3 Vendored Patch: https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d",
  "id": "GHSA-hx9w-f2w9-9g96",
  "modified": "2026-04-06T23:15:53Z",
  "published": "2026-03-01T01:25:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21619"
    },
    {
      "type": "WEB",
      "url": "https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-21619.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hexpm/hex_core"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-21619"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "hex_core has Unsafe Deserialization of Erlang Terms"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.