Resource exhaustion in Hexpm Hex.pm

CVE-2026-23940

Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the a…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (21.2th percentile) — read the EPSS interpretation.

Affected products

Hexpm Hex.pm — versions 0
Hexpm — versions 0

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

github.com/hexpm/hexpm/security/advisories/GHSA-jp8w-gxf6-8hcr (vendor-advisory, related)
cna.erlef.org/cves/CVE-2026-23940.html (related)
osv.dev/vulnerability/EEF-CVE-2026-23940 (related)
github.com/hexpm/hexpm/commit/495f01607d3eae4aed7ad09b2f54f31ec7a7df01 (patch)