Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2.

This issue does NOT affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected.

This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.
Published: 2026-02-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted file access through local file store
Action: Immediate Patch
AI Analysis

Impact

An improper limitation of pathname validation in the local file store backend of self‑hosted Hexpm allows relative path traversal. This vulnerability, stemming from CWE‑22, can enable an attacker to access or modify files outside the designated storage directory by exploiting the get/put/delete operations in the Local Store module. The exposed ability to read or overwrite arbitrary files can compromise sensitive data or disrupt the registry's operation. This flaw affects Hexpm installations that use the local filesystem backend for package storage. The vulnerability is present in all releases prior to commit 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0, covering versions identified by the hash 931ee0ed46fa89218e0400a4f6e6d15f96406050 and earlier. The risk assessment shows a CVSS score of 6.9 and an EPSS of less than 1 %, indicating moderate severity with a low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. An attacker would most likely leverage any publicly exposed API or service that performs local store operations, potentially in a managed or shared hosting environment. Mitigation requires applying the fix or altering the deployment configuration to prevent such access.

Affected Systems

Self‑hosted Hexpm installations that use the local filesystem backend for package storage. The vulnerability affects hexpm versions from commit 931ee0ed46fa89218e0400a4f6e6d15f96406050 up to, but not including, commit 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0. Hex.pm’s hosted service is not affected.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate impact with potential integrity breach of the registry’s file system. EPSS indicates a very low exploitation likelihood (< 1 %), and the vulnerability is not in CISA’s KEV catalog. Likely attackers would attempt path traversal via the exposed local store API endpoints (get, put, delete), especially if the registry is publicly reachable or shared. In environments where the local backend is isolated or the network is restricted, the risk remains low, but any exposed instance can allow unauthorized file access or modification.

Generated by OpenCVE AI on April 15, 2026 at 23:53 UTC.

Remediation

Vendor Workaround

* Avoid the local file store backend in any exposed environment. * Restrict network access to the registry when using the local backend. * Production deployments should use object storage (e.g., S3-compatible backends) instead of the local filesystem store.

OpenCVE Recommended Actions

  • Update Hexpm to a version released after commit 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0
  • Replace the local filesystem backend with an object storage backend (e.g., S3 or S3‑compatible services) for artifact storage
  • If a backend change is not immediately feasible, restrict network exposure of the registry and isolate the local file store from external access

Generated by OpenCVE AI on April 15, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Hex
Hex hexpm
CPEs cpe:2.3:a:hex:hexpm:*:*:*:*:*:*:*:*
Vendors & Products Hex
Hex hexpm
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 27 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2. This issue does NOT affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected. This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.
Title Path Traversal in Local File Store Backend
First Time appeared Hexpm
Hexpm hexpm
Weaknesses CWE-22
CPEs cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*
Vendors & Products Hexpm
Hexpm hexpm
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hex Hexpm
Hexpm Hexpm
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-07T14:38:03.183Z

Reserved: 2026-01-19T14:23:14.343Z

Link: CVE-2026-23939

cve-icon Vulnrichment

Updated: 2026-02-26T20:24:20.054Z

cve-icon NVD

Status : Modified

Published: 2026-02-26T20:31:35.763

Modified: 2026-04-06T17:17:07.923

Link: CVE-2026-23939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:00:14Z

Weaknesses