{"id":"GHSA-hx9w-f2w9-9g96","summary":"hex_core has Unsafe Deserialization of Erlang Terms","details":"### Impact\n\nThe Hex client (`hex_core`) deserializes Erlang terms received from the Hex API using `binary_to_term/1` without sufficient restrictions.\n\nIf an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as **atom table exhaustion**, leading to a VM crash. No released versions are known to allow remote code execution.\n\n### Patches\n\n* https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13\n* https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95\n* https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d\n\n### Workarounds\n\nEnsure that the Hex API URL (`HEX_API_URL`) points only to trusted endpoints. There is no client-side workaround that fully mitigates this issue without applying the patch.\n\n### Resources\n\n* hex_core Module: https://github.com/hexpm/hex_core/blob/main/src/hex_api.erl\n* Hex Vendored Module: https://github.com/hexpm/hex/blob/main/src/mix_hex_api.erl\n* Rebar3 Vendored Module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendored/r3_hex_api.erl\n* hex_core Patch: https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13\n* Hex Vendored Patch: https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95\n* Rebar3 Vendored Patch: https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d","aliases":["CVE-2026-21619","EEF-CVE-2026-21619"],"modified":"2026-04-06T23:34:56.174182Z","published":"2026-03-01T01:25:35Z","database_specific":{"github_reviewed_at":"2026-03-01T01:25:35Z","cwe_ids":["CWE-400"],"severity":"LOW","nvd_published_at":"2026-02-27T18:16:11Z","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21619"},{"type":"WEB","url":"https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d"},{"type":"WEB","url":"https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95"},{"type":"WEB","url":"https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-21619.html"},{"type":"PACKAGE","url":"https://github.com/hexpm/hex_core"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-21619"}],"affected":[{"package":{"name":"hex_core","ecosystem":"Hex","purl":"pkg:hex/hex_core"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.12.1"}]}],"versions":["0.1.0","0.1.1","0.10.0","0.10.1","0.10.2","0.10.3","0.11.0","0.12.0","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","0.5.1","0.6.0","0.6.1","0.6.10","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.9","0.7.0","0.7.1","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.9.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hx9w-f2w9-9g96/GHSA-hx9w-f2w9-9g96.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}]}