Unsafe Deserialization Flaw Hits Erlang Ecosystem

Unsafe deserialization vulnerabilities allow attackers to manipulate the serialized data that an application is intended to process, potentially leading to severe consequences like remote code execution (RCE), privilege escalation, or denial-of-service attacks. This type of flaw often arises when an application deserializes user-controllable data without sufficient validation, a risk that has previously led to its inclusion in the OWASP Top 10. The vulnerability, identified as CVE-2026-21619, specifically targets the `hex_core` library, which is a foundational component for interacting with the Hex.pm package manager. Its impact extends to `rebar3`, the official build tool for Erlang, and other tools that use `hex_core` for dependency management, making it a significant issue within the Erlang and Elixir ecosystems. The flaw allows for object injection and excessive allocation by exploiting how these tools handle deserialization of untrusted data. This could be triggered when the tools interact with a malicious or compromised package repository, a scenario particularly relevant for CI/CD pipelines that automate dependency fetching and building. No user interaction or privileges are required for an attacker to exploit this vulnerability. The Erlang Ecosystem Foundation has assigned this CVE. The affected versions are `hex_core` from 0.1.0 before 0.12.1, `hex` from 2.3.0 before 2.3.2, and `rebar3` from 3.9.1 before 3.27.0. Developers are advised to update to the patched versions to mitigate the risk.