Home

Description

Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other package-processing functionality. This issue affects hexpm: before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01; hex.pm: before 2026-03-10.

PUBLISHED Reserved 2026-01-19 | Published 2026-03-13 | Updated 2026-03-13 | Assigner EEF




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-400 Uncontrolled Resource Consumption

Product status

Default status
affected

Any version before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01
affected

pkg:github/hexpm/hexpm@0 (purl) before pkg:github/hexpm/hexpm@495f01607d3eae4aed7ad09b2f54f31ec7a7df01
affected

Default status
unaffected

Any version before 2026-03-10
affected

Credits

Joud Zakharia / zentrust partners GmbH finder

Eric Meadows-Jönsson / Hex.pm remediation developer

References

github.com/.../hexpm/security/advisories/GHSA-jp8w-gxf6-8hcr vendor-advisory

github.com/...ommit/495f01607d3eae4aed7ad09b2f54f31ec7a7df01 patch

cve.org (CVE-2026-23940)

nvd.nist.gov (CVE-2026-23940)

Download JSON