GHSA-hx9w-f2w9-9g96
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hx9w-f2w9-9g96
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hx9w-f2w9-9g96/GHSA-hx9w-f2w9-9g96.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hx9w-f2w9-9g96
- Aliases
- Published
- 2026-03-01T01:25:35Z
- Modified
- 2026-04-06T23:34:56.174182Z
- Severity
-
- 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- hex_core has Unsafe Deserialization of Erlang Terms
- Details
-
Impact
The Hex client (
hex_core) deserializes Erlang terms received from the Hex API usingbinary_to_term/1without sufficient restrictions.If an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as atom table exhaustion, leading to a VM crash. No released versions are known to allow remote code execution.
Patches
- https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
- https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
- https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
Workarounds
Ensure that the Hex API URL (
HEX_API_URL) points only to trusted endpoints. There is no client-side workaround that fully mitigates this issue without applying the patch.Resources
- hexcore Module: https://github.com/hexpm/hexcore/blob/main/src/hex_api.erl
- Hex Vendored Module: https://github.com/hexpm/hex/blob/main/src/mixhexapi.erl
- Rebar3 Vendored Module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendored/r3hexapi.erl
- hexcore Patch: https://github.com/hexpm/hexcore/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
- Hex Vendored Patch: https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
- Rebar3 Vendored Patch: https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
- Database specific
{ "nvd_published_at": "2026-02-27T18:16:11Z", "severity": "LOW", "github_reviewed": true, "cwe_ids": [ "CWE-400" ], "github_reviewed_at": "2026-03-01T01:25:35Z" }- References
-
- https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96
- https://nvd.nist.gov/vuln/detail/CVE-2026-21619
- https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
- https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
- https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
- https://cna.erlef.org/cves/CVE-2026-21619.html
- https://github.com/hexpm/hex_core
- https://osv.dev/vulnerability/EEF-CVE-2026-21619
Affected packages
Hex / hex_core
Package
- Name
- hex_core
- Purl
- pkg:hex/hex_core
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.12.1