DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21619: Unsafe Deserialization in Erlang Hex Ecosystem (hex_core, rebar3)

#security #cve #cybersecurity

Unsafe Deserialization in Erlang Hex Ecosystem (hex_core, rebar3)

Vulnerability ID: CVE-2026-21619
CVSS Score: 2.0
Published: 2026-03-01

A critical unsafe deserialization vulnerability exists in hex_core, the reference implementation for the Hex package manager API, affecting downstream tools like hex and rebar3. The flaw stems from the use of the unsafe binary_to_term/1 function when processing HTTP response bodies, allowing attackers to trigger Denial of Service via atom table exhaustion or potentially achieve Remote Code Execution through object injection.

TL;DR

Vulnerable Erlang/Elixir build tools deserialize untrusted API responses using unsafe methods. An attacker controlling a package mirror or network position can inject malicious Erlang terms, causing VM crashes (DoS) or executing arbitrary code.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502 (Deserialization of Untrusted Data)
  • Secondary CWE: CWE-400 (Uncontrolled Resource Consumption)
  • Attack Vector: Network
  • CVSS v4.0: 2.0 (Low)
  • Impact: DoS / RCE
  • Exploit Status: PoC Available

Affected Systems

  • rebar3 < 3.27.0
  • hex < 2.3.2
  • hex_core < 0.12.1
  • hex_core: < 0.12.1 (Fixed in: 0.12.1)
  • hex: < 2.3.2 (Fixed in: 2.3.2)
  • rebar3: < 3.27.0 (Fixed in: 3.27.0)

Code Analysis

Commit: cdf7260

Implementation of safe deserialization in hex_core

- {ok, {Status, RespHeaders, binary_to_term(RespBody)}};
+ {ok, {Status, RespHeaders, binary_to_term(RespBody, [safe])}};
Enter fullscreen mode Exit fullscreen mode

Commit: 1d4478f

Bump hex_core to 0.12.1 in rebar3

Vendoring update
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Vendor advisory describing atom exhaustion and object injection vectors.

Mitigation Strategies

  • Update Build Tools
  • Enforce Strict TLS
  • Mirror Validation

Remediation Steps:

  1. Upgrade rebar3 to version 3.27.0 or later.
  2. Upgrade hex (Mix) to version 2.3.2 or later.
  3. Verify that hex_core in your dependency tree is version 0.12.1 or higher.
  4. Ensure all package repository URLs use HTTPS with strict certificate validation to prevent MitM attacks.

References

Read the full report for CVE-2026-21619 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)