PT-2026-22367 · Hex+2 · Hex+2
Realcorvus
·
Published
2026-02-27
·
Updated
2026-03-07
·
CVE-2026-21619
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
hex core versions 0.1.0 through 0.12.0
hex versions 2.3.0 through 2.3.1
rebar3 versions 3.9.1 through 3.26.9
Description
An issue exists in hex core, hex, and rebar3 related to uncontrolled resource consumption and deserialization of untrusted data. This can lead to object injection and excessive allocation. The issue is present in the following program files:
src/hex api.erl, src/mix hex api.erl, and apps/rebar/src/vendored/r3 hex api.erl. The following program routines are affected: hex core:request/4, mix hex api:request/4, and r3 hex api:request/4.Recommendations
hex core versions prior to 0.12.1
hex versions prior to 2.3.2
rebar3 versions prior to 3.27.0
Fix
Resource Exhaustion
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Hex
Hex Core
Rebar3