CVE-2026-23939
Path Traversal in Hexpm Local Storage Backend Allows File Access
Publication date: 2026-02-26
Last updated on: 2026-04-06
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hex | hexpm | From 2014-09-29 (inc) to 2026-02-26 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-23939 is a path traversal vulnerability in the local file storage backend of the hexpm registry, specifically in the \'Elixir.Hexpm.Store.Local\' module. This vulnerability allows attackers to use relative path sequences like "../" to escape the intended storage directory and read arbitrary files accessible by the process running the registry.'}, {'type': 'paragraph', 'content': 'The issue arises because certain endpoints directly use user-controlled path parameters without properly restricting them to a confined directory. Although the local backend uses a path joining function, it does not enforce restrictions to prevent traversal outside the storage root.'}, {'type': 'paragraph', 'content': 'This vulnerability affects only self-hosted or development/test deployments using the local filesystem store backend and does not impact the hex.pm production service, which uses a different storage backend.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to read arbitrary files on the system where the vulnerable local file storage backend is running, within the permissions of the process. This means sensitive files accessible to the registry process could be exposed.
Since the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a moderate risk in environments where the local backend is enabled and exposed.
However, the vulnerability does not allow modification or deletion of files outside the intended directory, and it does not affect the integrity or availability of the system.
Mitigations include avoiding use of the local file store backend in exposed environments, restricting network access to registries using the local backend, and using alternative storage backends such as S3-compatible object storage for production.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your self-hosted hexpm deployment uses the local file storage backend and if it is vulnerable to path traversal via user-controlled path parameters containing sequences like "../".'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to monitor logs or network traffic for requests containing path traversal patterns such as "../" in storage keys or file paths.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows arbitrary file reads within the permissions of the running process, you can also attempt to test the system by sending crafted requests with path traversal sequences to the affected endpoints if you have access.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but general detection commands might include searching logs for suspicious path traversal patterns, for example using grep:'}, {'type': 'list_item', 'content': "grep -r '\\.\\./' /path/to/hexpm/logs"}, {'type': 'list_item', 'content': 'tcpdump or Wireshark filters to capture network requests containing "../" sequences.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing the version of hexpm you are running and checking if it is between commit 931ee0e and before 5d2ccd2f can help identify if the vulnerable code is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the local file store backend in any exposed or production environments.
Restrict network access to any registries using the local backend to trusted users or internal networks only.
Consider switching to object storage backends such as S3-compatible storage for production deployments instead of the local filesystem store.
Apply the patch that introduces strict path validation (commit 5d2ccd2f) which prevents path traversal by validating storage keys and raising errors on invalid paths.
If you maintain a self-hosted hexpm instance, upgrade to a version that includes the fix from commit 5d2ccd2f or later.