Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums.
Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.RemoteConverger.verify_resolved/2 never executes checksum verification because the lock data returned by Hex.Utils.lock/1 uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected.
An attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The mix.lock file is silently rewritten with the checksum values from the registry, erasing evidence of tampering.
This issue affects hex: from 0.16.0 before 2.4.2.
AnalysisAI
Silent dependency checksum bypass in hexpm/hex package manager (versions 0.16.0 through 2.4.1) allows attackers to substitute malicious dependencies without detection. The Hex.RemoteConverger module fails to verify lockfile checksums due to a string-versus-atom type mismatch in the verification logic, causing the security check to be silently skipped. Attackers who can poison local package caches or compromise registry responses can deliver modified packages that overwrite mix.lock without raising alerts. SSVC framework indicates proof-of-concept exists, attack is non-automatable (requires user interaction and precise timing), with total technical impact. Fixed in version 2.4.2 (commit d7528c8).
Technical ContextAI
Hex is the package manager for the Erlang/Elixir ecosystem, integrated with Mix (Elixir's build tool). The vulnerability resides in the Hex.RemoteConverger module responsible for dependency resolution and verification. The root cause (CWE-354: Improper Verification of Integrity Check Value) stems from a data type inconsistency: Hex.Utils.lock/1 returns dependency names as strings, while Hex.RemoteConverger.verify_resolved/2 pattern-matches against atom-based names using the ^atom_name guard. This type mismatch prevents the pattern match from succeeding, silently bypassing checksum validation logic that would otherwise compare mix.lock checksums against registry-provided values. While initial package downloads are checksum-verified against the registry, subsequent builds relying on cached packages or manipulated lockfiles skip this critical integrity check. The commit diff shows the fix converts String.to_atom(name) to direct string comparison and adds comprehensive regression tests that verify checksum mismatch detection.
RemediationAI
Upgrade hexpm/hex to version 2.4.2 or later, which implements correct string-based name comparison in Hex.RemoteConverger.verify_resolved/2 (commit d7528c8199a1144511508bf3a6460026a5a14c8e at https://github.com/hexpm/hex/commit/d7528c8199a1144511508bf3a6460026a5a14c8e). For Elixir projects, update via 'mix local.hex --force' or 'mix archive.install hex hex-2.4.2.ez'. Immediately after upgrading, regenerate mix.lock files by deleting existing lockfiles and running 'mix deps.get' to ensure checksums are freshly validated under corrected logic. If immediate patching is blocked, implement compensating controls: restrict network access to official hex.pm registry only (block alternate registries and local mirrors unless cryptographically verified), implement file integrity monitoring on _build/ and deps/ directories to detect unexpected package modifications (alert on checksum changes outside approved deployment windows), use hash pinning in infrastructure-as-code for critical dependencies as secondary validation layer, and enable audit logging for all mix.lock modifications in version control with mandatory code review. Note that workarounds significantly increase operational overhead and do not prevent the silent failure mode - patching to 2.4.2 is strongly recommended over compensating controls.
Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry verificati
Uncontrolled resource consumption in hex_core, hex, and rebar3 package managers results from unsafe deserialization of u
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26404