LOW🇬🇧 English

CVE-2026-21619

CVSS 2.0v4.0pub. 2026-02-27upd. 2026-04-06

Podatność Uncontrolled Resource Consumption oraz Deserialization of Untrusted Data w modułach hex_api bibliotek hexpm hex_core, hexpm hex i erlang rebar3 pozwala na Object Injection oraz Excessive Allocation. Podatność dotyczy plików src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl oraz funkcji hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. Problem obejmuje hex_core: od 0.1.0 do 0.12.1 (nie włącznie); hex: od 2.3.0 do 2.3.2 (nie włącznie); rebar3: od 3.9.1 do 3.27.0 (nie włącznie).

Pokaż oryginał (EN)

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Erlang Rebar3

    APP
    Erlang
    3.9.1 – 3.27.0 (bez)
  • Hex

    APP
    Hex
    2.3.0 – 2.3.2 (bez)
  • Hex Core

    APP
    Hex
    0.1.0 – 0.12.1 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Deserialization
CWE
Referencje

Powiązane podatności

CVE-2020-13802CRITICAL9.8ten sam produkt

Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency ...

CVE-2026-32148HIGH8.9ten sam produkt

Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows ...

CVE-2019-1000012HIGH8.8ten sam produkt

Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry ...

CVE-2019-1000013HIGH8.8ten sam produkt

Hex package manager hex_core version 0.3.0 and earlier contains a Signing oracle vulnerability in Package regi...

CVE-2019-1000014HIGH8.8ten sam produkt

Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry veri...