Realcorvus

**Name of the Vulnerable Software and Affected Versions** hexpm versions prior to 71c127afebb7ed7cc637eb231b98feb802d62999 **Description** A flaw exists in the authorization process within the 'Elixir.HexpmWeb.API.OAuthController' module of hexpm, potentially leading to privilege escalation. Specifically, when exchanging a read-only API key using the OAuth client credentials grant, the intended resource qualifier is disregarded. This results in a JWT being issued with broad "api" scope instead of the expected "api:read" scope. Consequently, the token is treated as having full API access. An attacker who obtains a victim's read-only API key and a valid TOTP code can exploit this to generate a new, unrestricted full-access API key that does not expire by default, enabling write operations like publishing, retiring, or modifying packages. The issue is associated with the program files lib/hexpm web/controllers/api/oauth controller.ex and the `Elixir.HexpmWeb.API.OAuthController`:validate scopes against key/2 routine. **Recommendations** Update to version 71c127afebb7ed7cc637eb231b98feb802d62999 or later to address the incorrect scope assignment during OAuth token exchange.

**Name of the Vulnerable Software and Affected Versions** hexpm versions prior to bb0e42091995945deef10556f58d046a52eb7884 **Description** A flaw exists in hexpm that allows for account takeover due to insufficient session expiration. Specifically, password reset tokens generated through the password reset functionality do not expire, remaining valid indefinitely. An attacker gaining access to a previously leaked email containing a valid password reset token can exploit this to reset a victim's password without needing current access to the victim’s email account. The vulnerable code resides in the `Elixir.Hexpm.Accounts.PasswordReset` module and the `can reset?/3` function. **Recommendations** Update hexpm to version bb0e42091995945deef10556f58d046a52eb7884 or later.

**Name of the Vulnerable Software and Affected Versions** hex core versions 0.1.0 through 0.12.0 hex versions 2.3.0 through 2.3.1 rebar3 versions 3.9.1 through 3.26.9 **Description** An issue exists in hex core, hex, and rebar3 related to uncontrolled resource consumption and deserialization of untrusted data. This can lead to object injection and excessive allocation. The issue is present in the following program files: `src/hex api.erl`, `src/mix hex api.erl`, and `apps/rebar/src/vendored/r3 hex api.erl`. The following program routines are affected: `hex core:request/4`, `mix hex api:request/4`, and `r3 hex api:request/4`. **Recommendations** hex core versions prior to 0.12.1 hex versions prior to 2.3.2 rebar3 versions prior to 3.27.0

**Name of the Vulnerable Software and Affected Versions** hexpm versions prior to 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 **Description** A path traversal issue exists in hexpm’s Local Storage backend, impacting self-hosted deployments. The issue resides within the 'Elixir.Hexpm.Store.Local' module and affects the following program routines: `get/3`, `put/4`, `delete/2`, and `delete/many/2`, specifically within the file lib/hexpm/store/local.ex. This does not affect the hex.pm service itself. The issue allows relative path traversal. **Recommendations** Update hexpm to version 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 or later.