Deserialization in Erlang Rebar3

CVE-2026-21619

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (21.1th percentile) — read the EPSS interpretation.

Affected products

Erlang Rebar3 — versions 209c02ec57c2cc3207ee0174c3af3675b8dc8f79, 3.9.1
Hexpm Hex — versions 314546ac432229518714cc8e3336e916b9da6305, 2.3.0
Hexpm Hex_core — versions eb327f8edfe45507351e38cc0805aa12fa647f0b, 0.1.0

Weakness classification (CWE)

References

github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96 (vendor-advisory, related)
cna.erlef.org/cves/CVE-2026-21619.html (related)
osv.dev/vulnerability/EEF-CVE-2026-21619 (related)
github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13 (patch)
github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95 (patch)
github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d (patch)