CVE-2026-21619: Unsafe Deserialization in Erlang hex_core

Vulnerability Key Information Vulnerability Overview Name: Unsafe Deserialization of Erlang Terms in hex_core Reporter: maennchen Published: 1 hour ago CVE ID: CVE-2026-21619 Affected Packages and Versions hex (otp) - Affected versions: >= 2.3.0 and = 3.9.1 and <= 3.27.0 - Fixed version: 3.27.0 Impact The Hex client (hex_core) deserializes Erlang terms received from the Hex API using without sufficient restrictions. If an attacker can control the HTTP response body returned by the Hex API, this could enable a denial-of-service attack, such as exhausting the atom table, leading to VM crash. No known versions allow remote code execution. Remediation Patch commits: - hexpm/hex_core@cdf7260 - hexpm/hex@636739f - erlang/rebar3@1d4478f Workarounds Ensure the Hex API URL (HEX_API_URL) points only to trusted endpoints. There is no client-side solution that fully mitigates this issue; the problem cannot be fully resolved without applying the patch. References hex_core module: https://github.com/hexpm/hex_core/blob/main/src/hex_api.erl Hex vendored module: https://github.com/hexpm/hex/blob/main/src/mix_hex_api.erl Rebar3 vendored module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendord/r3_hex_api.erl hex_core patch: hexpm/hex_core@cdf7260 Hex vendored patch: hexpm/hex@636739f Rebar3 vendored patch: erlang/rebar3@1d4478f Severity CVSS v4.0 Score: 2.0/10 Attack Vector: Network Attack Complexity: Low Attack Requirements: Present Privileges Required: Low User Interaction: Required Impact on Subsequent Systems: Confidentiality: None, Integrity: None, Availability: Low Discoverer and Fix Developer Discoverer: realcorvus Fix Developer: maennchen

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-21619: Unsafe Deserialization in Erlang hex_core

More from this source