Paul Fleischer

**Name of the Vulnerable Software and Affected Versions** hex versions 0.16.0 through 2.4.1 **Description** Insufficient Verification of Data Authenticity in the `Hex.RemoteConverger` module allows for a dependency integrity bypass. The `Hex.RemoteConverger.verify resolved/2` function fails to execute checksum verification because of a type mismatch: `Hex.Utils.lock/1` returns string-based dependency names, whereas the verification logic expects atom-based names. This causes the verification process to be silently skipped. While checksums are validated during the initial download from the registry, discrepancies between the lockfile and resolved dependencies are not detected. An attacker capable of influencing cached packages, such as through local cache poisoning or a compromised registry, could provide modified dependency contents that are accepted without detection, as the `mix.lock` file is silently updated with the registry's checksums. **Recommendations** Update to version 2.4.2.