CVE-2026-23939
Path Traversal in Local File Store Backend
Weakness Type (CWE)
CWE-22 — CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
Vulnerability description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal.This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2.
This issue does NOT affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected.
This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.
Affected
pkg:github/hexpm/hexpm
| Module | Source File | Routine |
|---|---|---|
Hexpm.Store.Local
|
lib/hexpm/store/local.ex
|
Hexpm.Store.Local.get/3
|
Hexpm.Store.Local.put/4
|
||
Hexpm.Store.Local.delete/2
|
||
Hexpm.Store.Local.delete_many/2
|
| Status | Type | Version | Changes / Fixed in |
|---|---|---|---|
| affected | git ⓘ | 931ee0ed46fa
|
< 5d2ccd2f14f4
|
Workarounds
- Avoid the local file store backend in any exposed environment.
- Restrict network access to the registry when using the local backend.
- Production deployments should use object storage (e.g., S3-compatible backends) instead of the local filesystem store.
References
- https://github.com/hexpm/hexpm/security/advisories/GHSA-42mv-r64p-4869 vendor-advisory
- https://github.com/hexpm/hexpm/commit/5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 patch
Credits
- Finder: Michael Lubas / Paraxial.io
- Remediation developer: Jonatan Männchen / EEF
- Remediation reviewer: Eric Meadows-Jönsson / Hex.pm
CVE record as JSON:
GET /cves/CVE-2026-23939.json
OSV record as JSON:
GET /osv/EEF-CVE-2026-23939.json