EEF-CVE-2026-21619
- Source
- https://cna.erlef.org/osv/EEF-CVE-2026-21619.html
- Import Source
- https://cna.erlef.org/osv/EEF-CVE-2026-21619.json
- JSON Data
- https://api.osv.dev/v1/vulns/EEF-CVE-2026-21619
- Aliases
- Published
- 2026-02-27T17:57:11.513Z
- Modified
- 2026-02-28T05:56:20.371755Z
- Severity
-
- 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Unsafe Deserialization of Erlang Terms in hex_core
- Details
-
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hexcore (hexapi modules), hexpm hex (mixhexapi modules), erlang rebar3 (r3hexapi modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hexapi.erl, src/mixhexapi.erl, apps/rebar/src/vendored/r3hexapi.erl and program routines hexcore:request/4, mixhexapi:request/4, r3hexapi:request/4.
This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
- Database specific
{ "capec_ids": [ "CAPEC-586", "CAPEC-130" ], "cwe_ids": [ "CWE-400", "CWE-502" ], "cpe_ids": [ "cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*", "cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*", "cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*" ] }- References
-
- https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96
- https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
- https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
- https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
- https://hex.pm/packages/hex_core
- Credits
-
-
- Michael Lubas / Paraxial.ia - FINDER
-
- Jonatan Männchen / EEF - REMEDIATION_DEVELOPER
-
- Eric Meadows-Jönsson / Hex.pm - REMEDIATION_REVIEWER
-