Hex.pm Uncontrolled Resource Consumption Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Hex.pm, specifically in versions prior to 495f01607d3eae4aed7ad09b2f54f31ec7a7df01. This vulnerability allows for excessive memory allocation when publishing oversized packages. The extraction process of these large package tarballs can cause the application to run out of memory, potentially terminating the application instance. This disruption affects the package publishing process and may impact other package-processing functionalities as well.

Impact

Exploitation of this vulnerability can lead to application crashes, causing a denial-of-service condition for package publishing and related processes.

Reproduction

The vulnerability can be reproduced by uploading a package that exceeds the allowed size limits. In the staging environment, where memory resources are more limited, this issue can be triggered more easily. Additionally, in the production environment, uploading large packages concurrently can also cause similar disruptions.

Remediation

Users are advised to update to version 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 or later. Instructions for updating can be found in the Hex.pm repository.