## Vulnerability Key Information ### Vulnerability Overview **Name**: Unsafe Deserialization of Erlang Terms in hex_core **Reporter**: maennchen **Published**: 1 hour ago **CVE ID**: CVE-2026-21619 ### Affected Packages and Versions - **hex (otp)** - Affected versions: >= 2.3.0 and = 3.9.1 and <= 3.27.0 - Fixed version: 3.27.0 ### Impact - The Hex client (hex_core) deserializes Erlang terms received from the Hex API using `binary_to_term/1` without sufficient restrictions. - If an attacker can control the HTTP response body returned by the Hex API, this could enable a denial-of-service attack, such as exhausting the atom table, leading to VM crash. No known versions allow remote code execution. ### Remediation - Patch commits: - hexpm/hex_core@cdf7260 - hexpm/hex@636739f - erlang/rebar3@1d4478f ### Workarounds - Ensure the Hex API URL (HEX_API_URL) points only to trusted endpoints. There is no client-side solution that fully mitigates this issue; the problem cannot be fully resolved without applying the patch. ### References - hex_core module: https://github.com/hexpm/hex_core/blob/main/src/hex_api.erl - Hex vendored module: https://github.com/hexpm/hex/blob/main/src/mix_hex_api.erl - Rebar3 vendored module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendord/r3_hex_api.erl - hex_core patch: hexpm/hex_core@cdf7260 - Hex vendored patch: hexpm/hex@636739f - Rebar3 vendored patch: erlang/rebar3@1d4478f ### Severity CVSS v4.0 Score: 2.0/10 - **Attack Vector**: Network - **Attack Complexity**: Low - **Attack Requirements**: Present - **Privileges Required**: Low - **User Interaction**: Required - **Impact on Subsequent Systems**: Confidentiality: None, Integrity: None, Availability: Low ### Discoverer and Fix Developer - **Discoverer**: realcorvus - **Fix Developer**: maennchen