### Vulnerability Overview * **CVE ID**: CVE-2026-21619 * **Vulnerability Name**: Unsafe Deserialization of Erlang Terms in hex_core * **CVSS Score**: 2.0 (Low) * **Vulnerability Type**: Uncontrolled Resource Consumption, Deserialization of Untrusted Data, Object Injection, Excessive Allocation. * **Detailed Description**: This vulnerability exists within the `hexpm hex_core`, `hexpm hex`, and `erlang rebar3` modules. An attacker can construct malicious data to trigger object injection and excessive allocation. The affected core files include `src/hex_api.erl`, `src/mix_hex_api.erl`, and the `request/4` routines within `apps/rebar/src/vendored/r3_hex_api.erl`. ### Affected Scope The following modules and versions are affected by this vulnerability: * **hex_core**: Version < 0.12.1 (Git commit < cd720895bca) * **hex**: Version < 2.3.2 (Git commit < 636739f3225) * **rebar3**: Version < 3.27.0 (Git commit < 164478527e3) Specifically affected modules include `hex_api`, `mix_hex_api`, and `r3_hex_api`. ### Remediation It is recommended to upgrade the relevant components to the following versions to remediate the vulnerability: * Upgrade `hex_core` to **0.12.1** or higher. * Upgrade `hex` to **2.3.2** or higher. * Upgrade `rebar3` to **3.27.0** or higher. ### POC/Exploit Code No specific POC code or exploit code is included in the page.