CVE-2026-21619
Deserialization and Resource Exhaustion in hexpm and rebar
Publication date: 2026-02-27
Last updated on: 2026-04-06
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hex | hex | From 2.3.0 (inc) to 2.3.2 (exc) |
| hex | hex_core | From 0.1.0 (inc) to 0.12.1 (exc) |
| erlang | rebar3 | From 3.9.1 (inc) to 3.27.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves uncontrolled resource consumption and deserialization of untrusted data in certain modules of hexpm hex_core, hexpm hex, and erlang rebar3. It allows an attacker to perform object injection and cause excessive allocation of resources. The affected program files include src/hex_api.erl, src/mix_hex_api.erl, and apps/rebar/src/vendored/r3_hex_api.erl, specifically in the routines hex_core:request/4, mix_hex_api:request/4, and r3_hex_api:request/4.
What immediate steps should I take to mitigate this vulnerability?
I don't know
How can this vulnerability impact me? :
The vulnerability can lead to excessive consumption of system resources due to uncontrolled allocation triggered by deserialization of untrusted data. This can result in degraded system performance or denial of service conditions. Additionally, object injection may allow attackers to manipulate program behavior or data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know