Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-23940
PUBLISHED
More InfoOfficial Page
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
View Known Exploited Vulnerability (KEV) details
Published At-13 Mar, 2026 | 16:07
Updated At-06 Apr, 2026 | 16:44
Rejected At-
▼CVE Numbering Authority (CNA)
Denial of Service via Oversized Package Upload

Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other package-processing functionality. This issue affects hexpm: before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01; hex.pm: before 2026-03-10.

Affected Products
Vendor
hexpm
Product
hexpm
Collection URL
https://github.com
Package Name
hexpm/hexpm
Repo
https://github.com/hexpm/hexpm.git
CPEs
  • cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*
Default Status
affected
Versions
Affected
  • From 0 before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 (git)
Vendor
hexpm
Product
hex.pm
Default Status
unaffected
Versions
Affected
  • From 0 before 2026-03-10 (date)
Problem Types
TypeCWE IDDescription
CWECWE-400CWE-400 Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-400
Description: CWE-400 Uncontrolled Resource Consumption
Metrics
VersionBase scoreBase severityVector
4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions
Configurations
Workarounds

* Prevent large package uploads by enforcing upload size limits at the reverse proxy or load balancer level.

Exploits
Credits
finder
Joud Zakharia / zentrust partners GmbH
remediation developer
Eric Meadows-Jönsson / Hex.pm
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/hexpm/hexpm/security/advisories/GHSA-jp8w-gxf6-8hcr
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-23940.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-23940
related
https://github.com/hexpm/hexpm/commit/495f01607d3eae4aed7ad09b2f54f31ec7a7df01
patch
Hyperlink: https://github.com/hexpm/hexpm/security/advisories/GHSA-jp8w-gxf6-8hcr
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-23940.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-23940
Resource:
related
Hyperlink: https://github.com/hexpm/hexpm/commit/495f01607d3eae4aed7ad09b2f54f31ec7a7df01
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found