Описание
hex_core has Unsafe Deserialization of Erlang Terms
Impact
The Hex client (hex_core) deserializes Erlang terms received from the Hex API using binary_to_term/1 without sufficient restrictions.
If an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as atom table exhaustion, leading to a VM crash. No released versions are known to allow remote code execution.
Patches
- https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
- https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
- https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
Workarounds
Ensure that the Hex API URL (HEX_API_URL) points only to trusted endpoints. There is no client-side workaround that fully mitigates this issue without applying the patch.
Resources
- hex_core Module: https://github.com/hexpm/hex_core/blob/main/src/hex_api.erl
- Hex Vendored Module: https://github.com/hexpm/hex/blob/main/src/mix_hex_api.erl
- Rebar3 Vendored Module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendored/r3_hex_api.erl
- hex_core Patch: https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
- Hex Vendored Patch: https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
- Rebar3 Vendored Patch: https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
Ссылки
- https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96
- https://nvd.nist.gov/vuln/detail/CVE-2026-21619
- https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
- https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
- https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
Пакеты
hex_core
< 0.12.1
0.12.1
Связанные уязвимости
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Uncontrolled Resource Consumption, Deserialization of Untrusted Data v ...