Description
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.

This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Published: 2026-02-27
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via resource exhaustion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from unsafe deserialization of Erlang terms in the hex_core, hex, and rebar3 products, allowing an attacker to inject malicious objects that can cause excessive allocation of system resources. This can lead to denial of service conditions by exhausting memory or processing capacity. The weakness is identified as resource exhaustion and deserialization of untrusted data, mapped to CWE‑400 and CWE‑502.

Affected Systems

Affected vendors and products include Erlang’s rebar3, Hex’s hex, and hex_core. Specific vulnerable versions are: rebar3 3.9.1 through 3.26.x, hex 2.3.0 through 2.3.1, and hex_core 0.1.0 through 0.12.0.

Risk and Exploitability

The CVSS score is 2.0, indicating a low severity, and the EPSS score is less than 1%, signaling a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no mass exploitation evidence. The likely attack vector is an application or module that loads untrusted data into these libraries; downstream applications that use these modules may be affected if they process external input unfiltered. Exploitation would require the attacker to provide malicious Erlang terms to one of the deserialization routines, resulting in uncontrolled resource allocation.

Generated by OpenCVE AI on April 15, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected products to at least rebar3 3.27.0, hex 2.3.2, and hex_core 0.12.1 or later, which contain the deserialization fix.
  • If an upgrade is not immediately possible, apply the security patches from the commit records linked in the advisory (hex_core: cdf72609, hex: 636739f3, rebar3: 1d4478f5) to remove the unsafe deserialization logic.
  • Restrict or validate all external data before passing it to the hex_core, hex, or rebar3 APIs to ensure only trusted Erlang terms are processed.

Generated by OpenCVE AI on April 15, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hx9w-f2w9-9g96 hex_core has Unsafe Deserialization of Erlang Terms
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Mon, 23 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Hex
Hex hex
Hex hex Core
CPEs cpe:2.3:a:hex:hex:*:*:*:*:*:*:*:*
cpe:2.3:a:hex:hex_core:*:*:*:*:*:*:*:*
Vendors & Products Hex
Hex hex
Hex hex Core
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Title Unsafe Deserialization of Erlang Terms in hex_core
First Time appeared Erlang
Erlang rebar3
Hexpm
Hexpm hex
Hexpm hex Core
Weaknesses CWE-400
CWE-502
CPEs cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*
cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*
cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang rebar3
Hexpm
Hexpm hex
Hexpm hex Core
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-06T16:44:11.526Z

Reserved: 2026-01-01T03:46:45.933Z

Link: CVE-2026-21619

cve-icon Vulnrichment

Updated: 2026-02-27T19:08:54.436Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T18:16:11.373

Modified: 2026-04-06T17:17:07.037

Link: CVE-2026-21619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:00:14Z

Weaknesses