Description
Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums.

Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.RemoteConverger.verify_resolved/2 never executes checksum verification because the lock data returned by Hex.Utils.lock/1 uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected.

An attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The mix.lock file is silently rewritten with the checksum values from the registry, erasing evidence of tampering.

This issue affects hex: from 0.16.0 before 2.4.2.
Published: 2026-04-30
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hex's RemoteConverger module skips checksum verification for dependencies written in mix.lock because the lock data is returned as string names while the verification logic expects atom names. As a result, the verification code path is silently omitted and the checksum checks are never performed. An attacker who can supply altered package content—either through a compromised registry or by poisoning the local cache—can provide malicious dependencies that will be accepted without detection. The mix.lock file is rewritten with checksum values from the registry, erasing evidence of tampering. This flaw allows an attacker to bypass dependency integrity checks and alter the code that is delivered to a build, effectively compromising the supply chain.

Affected Systems

hexpm's Hex package manager (hex) from version 0.16.0 up to, but not including, 2.4.2 is vulnerable. Any project that uses these versions of Hex to resolve dependencies and build reproducibility is at risk. This includes Erlang/OTP projects and any language ecosystem that relies on Hex for dependency management.

Risk and Exploitability

The CVSS score of 8.9 signals high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector—local cache poisoning or a compromised registry—means that exploitation requires influence over the registry or local package cache, an attack scenario that is plausible in controlled environments or supply-chain contexts. Because the checksum verification is bypassed, a successful attack could lead to arbitrary code execution or other supply‑chain compromise. The risk is therefore significant, and the vulnerability should be treated as high‑priority.

Generated by OpenCVE AI on May 1, 2026 at 05:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hex to version 2.4.2 or newer, which restores checksum verification in RemoteConverger.
  • Rebuild affected projects and regenerate mix.lock to ensure the new checksums are recorded.
  • Clear any local package caches and delete old lock files before rebuilding to avoid re‑introducing tampered checksums.
  • Secure the package registry by enforcing authenticated access, signing, and monitoring for unauthorized uploads.

Generated by OpenCVE AI on May 1, 2026 at 05:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums. Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.RemoteConverger.verify_resolved/2 never executes checksum verification because the lock data returned by Hex.Utils.lock/1 uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected. An attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The mix.lock file is silently rewritten with the checksum values from the registry, erasing evidence of tampering. This issue affects hex: from 0.16.0 before 2.4.2.
Title Lockfile checksums not verified in Hex allows dependency integrity bypass
First Time appeared Hexpm
Hexpm hex
Weaknesses CWE-354
CWE-494
CPEs cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*
Vendors & Products Hexpm
Hexpm hex
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Hexpm Hex
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-01T04:33:38.198Z

Reserved: 2026-03-10T22:37:29.213Z

Link: CVE-2026-32148

cve-icon Vulnrichment

Updated: 2026-04-30T19:03:21.319Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T19:16:09.000

Modified: 2026-05-01T15:26:51.053

Link: CVE-2026-32148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:15:09Z

Weaknesses