GHSA-hx9w-f2w9-9g96 (CVE-2026-21619)

Details

Impact

The Hex client (hex_core) deserializes Erlang terms received from the Hex API using binary_to_term/1 without sufficient restrictions.

If an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as atom table exhaustion, leading to a VM crash. No released versions are known to allow remote code execution.

Patches

https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d

Workarounds

Ensure that the Hex API URL (HEX_API_URL) points only to trusted endpoints. There is no client-side workaround that fully mitigates this issue without applying the patch.

Resources

hex_core Module: https://github.com/hexpm/hex_core/blob/main/src/hex_api.erl
Hex Vendored Module: https://github.com/hexpm/hex/blob/main/src/mix_hex_api.erl
Rebar3 Vendored Module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendored/r3_hex_api.erl
hex_core Patch: https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
Hex Vendored Patch: https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
Rebar3 Vendored Patch: https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d

Affected Packages

hex_core

Hex

Fixed in:

0.12.1

References

ADVISORY

https://github.com/advisories/GHSA-hx9w-f2w9-9g96

WEB

https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d

WEB

https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95