CVE-2026-21619: Unsafe Deserialization in Erlang Hex Ecosystem (hex_core, rebar3)

Published: 2 days ago (March 1, 2026 at 01:10 AM EST)

1 min read

Source: Dev.to

Overview

Vulnerability ID: CVE-2026-21619
CVSS Score: 2.0 (Low) – CVSS v4.0
Published: 2026-03-01

A critical unsafe deserialization vulnerability exists in hex_core, the reference implementation for the Hex package manager API. The flaw arises from the use of the unsafe binary_to_term/1 function when processing HTTP response bodies. An attacker who can control a package mirror or intercept network traffic can inject malicious Erlang terms, leading to:

Denial of Service (DoS) via atom table exhaustion
Potential Remote Code Execution (RCE) through object injection

CWE‑502 – Deserialization of Untrusted Data
CWE‑400 – Uncontrolled Resource Consumption

Attack Vector: Network

Exploit Status: Proof‑of‑Concept (PoC) available

Affected Components

Component	Affected Versions	Fixed Version
`hex_core`	(unspecified in source)	(unspecified in source)

Full CVE Report: CVE‑2026‑21619 details (external site) (replace with actual URL)

CVE-2026-21619: Unsafe Deserialization in Erlang Hex Ecosystem (hex_core, rebar3)

Overview

Affected Components

Related posts

Shared Workflows: minha experiência definindo pipelines reutilizáveis

Building a Local-First Financial IDE: How I forced Gemini AI to do strict Double-Entry Accounting

I ran cursor-doctor on 50 real projects. Here's what broke.

Google Gemini Writing Challenge