Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other package-processing functionality.
This issue affects hexpm: before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01; hex.pm: before 2026-03-10.
AnalysisAI
An uncontrolled resource consumption vulnerability in the Hex.pm package manager allows authenticated attackers to cause denial of service by uploading oversized packages that exhaust server memory during extraction. The vulnerability affects hexpm versions before commit 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 and hex.pm installations before March 10, 2026, with a CVSS 4.0 score of 7.1 indicating high availability impact. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and EPSS data is not available.
Technical ContextAI
Hex.pm is the package manager for the Erlang ecosystem, used to host and distribute Erlang and Elixir packages. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption), where the application fails to properly limit memory allocation when processing uploaded package tarballs, allowing malicious actors to upload specially crafted oversized packages that consume excessive memory during the extraction phase. This affects the core package publishing and processing functionality of the hex.pm service, potentially impacting the entire Erlang/Elixir development ecosystem that relies on this infrastructure.
RemediationAI
Organizations running hex.pm instances should upgrade to versions containing commit 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 or ensure their deployment is updated to post-March 10, 2026 releases. As an interim mitigation, administrators should implement package size limits at the web server or load balancer level, monitor memory usage patterns for anomalies during package uploads, and consider implementing rate limiting for package publishing operations to prevent rapid successive attempts at resource exhaustion.
Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.
Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicio
Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker
Path traversal in hexpm's Local Storage backend allows unauthenticated attackers to read sensitive files through relativ
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12050