PT-2026-25321 · Hexpm+2 · Hex.Pm+1
Jzakharia1
·
Published
2026-03-13
·
Updated
2026-03-14
·
CVE-2026-23940
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
hexpm versions prior to 495f01607d3eae4aed7ad09b2f54f31ec7a7df01
hex.pm versions prior to 2026-03-10
Description
An uncontrolled resource consumption issue in hexpm allows for excessive allocation. Publishing an oversized package can cause Hex.pm to exhaust memory during the extraction of the uploaded package’s tarball. This can terminate the affected application instance, leading to a denial of service for package publishing and potentially other package-processing functionalities.
Recommendations
Versions prior to 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 should be updated.
Versions prior to 2026-03-10 should be updated.
Fix
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hex.Pm
Hexpm