Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2. This issue does NOT affect hex.pm the service.
Only self-hosted deployments using the Local Storage backend are affected. This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Hex Hexpm
cpe:2.3:a:hex:hexpm:*:*:*:*:*:*:*:*
|
2014-09-29
|
2026-02-26
|
References 4
https://github.com/hexpm/hexpm/commit/5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
https://github.com/hexpm/hexpm/security/advisories/GHSA-42mv-r64p-4869
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
https://cna.erlef.org/cves/CVE-2026-23939.html
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
https://osv.dev/vulnerability/EEF-CVE-2026-23939
6b3ad84c-e1a6-4bf7-a703-f496b71e49db