Description
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Problem types
CWE-400 Uncontrolled Resource Consumption
CWE-502 Deserialization of Untrusted Data
Product status
eb327f8edfe45507351e38cc0805aa12fa647f0b (git) before cdf726095bca85ad2549d146df1e831ae93c2b13
0.1.0 (semver) before 0.12.1
314546ac432229518714cc8e3336e916b9da6305 (git) before 636739f3322514e9303ca335fb630696fcbb3c95
2.3.0 (semver) before 2.3.2
209c02ec57c2cc3207ee0174c3af3675b8dc8f79 (git) before 1d4478f527e373de0b225951e53115450e0d9b9d
3.9.1 (semver) before 3.27.0
Credits
Michael Lubas / Paraxial.io
Jonatan Männchen / EEF
Eric Meadows-Jönsson / Hex.pm
References
github.com/...x_core/security/advisories/GHSA-hx9w-f2w9-9g96
cna.erlef.org/cves/CVE-2026-21619.html
osv.dev/vulnerability/EEF-CVE-2026-21619
github.com/...ommit/cdf726095bca85ad2549d146df1e831ae93c2b13
github.com/...ommit/636739f3322514e9303ca335fb630696fcbb3c95
github.com/...ommit/1d4478f527e373de0b225951e53115450e0d9b9d