hexpm/hex Insufficient Verification of Data Authenticity Vulnerability (CVE-2026-32148)

EEF-CVE-2026-32148 Vulnerability Summary Vulnerability Overview Vulnerability Name: Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) Vulnerability Description: Hex stores checksums of dependencies to ensure reproducible and integrity-checked builds. However, never performs checksum verification because the lock data returned by uses string dependency names, while the verification logic compares against atom names. This type mismatch causes the verification code path to be silently skipped. Although checksums are still verified when packages are initially downloaded from the registry, mismatches between the lockfile and resolved dependencies go undetected. Attack Scenario: An attacker can provide modified dependency content by compromising cached packages (e.g., via local cache poisoning or a contaminated registry), which can be accepted undetected. The file is silently rewritten using checksum values from the registry, thereby erasing evidence of tampering. CVSS Score: 9.9 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VA:H/SC:N/SI:N/SA:H Affected Scope Affected Software: hex (https://github.com/hexpm/hex.git) Affected Versions: - v0. - v1. - v2. Affected Version Range: - Introduced in: 8d1576f28c4d41d1f1ed6b17c0d43816cf1cb303 - Fixed in: d7528c8199a114d511580b13af460026a5a1c58e Impacted Versions: From 0.16.0 to 2.4.2 Remediation Fixed Version: Upgrade to v2.4.2 or later Fix Commit**: https://github.com/hexpm/hex/commit/d7528c8199a114d511580b13af460026a5a1c58e References CVE-2026-32148: https://cna.ariel.org/osv/EEF-CVE-2026-32148.html GHSA-hmv9-4mfr-m92v: https://github.com/hexpm/hex/security/advisories/GHSA-hmv9-4mfr-m92v Fix Commit: https://github.com/hexpm/hex/commit/d7528c8199a114d511580b13af460026a5a1c58e Database Specific Information

Goal Reached Thanks to every supporter — we hit 100%!

hexpm/hex Insufficient Verification of Data Authenticity Vulnerability (CVE-2026-32148)

More from this source