CVE-2026-23939 Overview
CVE-2026-23939 is a Path Traversal vulnerability affecting the hexpm package manager's local storage backend. The vulnerability exists in the Elixir.Hexpm.Store.Local module, specifically within the lib/hexpm/store/local.ex file. Multiple routines are affected including get/3, put/4, delete/2, and delete_many/2 functions.
This vulnerability allows attackers to perform Relative Path Traversal attacks against self-hosted hexpm deployments that use the Local Storage backend. Importantly, this issue does NOT affect hex.pm the service—only self-hosted deployments are at risk.
Critical Impact
Attackers can potentially read sensitive files outside the intended storage directory on self-hosted hexpm deployments using the Local Storage backend, leading to information disclosure.
Affected Products
- hexpm (self-hosted deployments using Local Storage backend)
- Versions from commit 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-23939 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-23939
Vulnerability Analysis
This Path Traversal vulnerability (CWE-22) resides in the local file storage implementation of hexpm. The affected module Elixir.Hexpm.Store.Local handles file operations for self-hosted hexpm instances that opt to use local filesystem storage rather than cloud-based solutions.
The vulnerability allows unauthenticated attackers to traverse directory paths and potentially access files outside the designated storage bucket directories. The network-accessible nature of the attack vector combined with no authentication requirements makes this vulnerability exploitable by remote attackers without user interaction.
The affected routines (get/3, put/4, delete/2, delete_many/2) all interact with the filesystem and were not properly validating path inputs to prevent traversal sequences.
Root Cause
The root cause is improper path handling in the local storage module. The original implementation used a variable named relative for path operations which created confusion between the bucket directory path and relative file paths. The code failed to properly constrain file operations to the intended bucket directory, allowing attackers to use path traversal sequences (such as ../) to escape the restricted directory.
The fix involves renaming the variable to bucket_dir to clearly distinguish the bucket directory path and ensuring all path operations are properly scoped within the intended directory boundaries.
Attack Vector
The attack is network-based and does not require authentication or user interaction. An attacker can craft malicious requests containing path traversal sequences to read, write, or delete files outside the intended storage bucket. This could lead to:
- Information Disclosure: Reading sensitive configuration files, credentials, or other data
- Data Manipulation: Writing malicious files to arbitrary locations
- Data Destruction: Deleting critical system or application files
# only used during development (not safe)
def list(bucket, prefix) do
- relative = Path.join([dir(), bucket])
- paths = Path.join(relative, "**") |> Path.wildcard()
+ bucket_dir = Path.join([dir(), bucket])
+ paths = Path.join(bucket_dir, "**") |> Path.wildcard()
Enum.flat_map(paths, fn path ->
- relative = Path.relative_to(path, relative)
+ relative = Path.relative_to(path, bucket_dir)
if String.starts_with?(relative, prefix) and File.regular?(path) do
[relative]
Source: GitHub Commit Update
Detection Methods for CVE-2026-23939
Indicators of Compromise
- HTTP requests containing path traversal sequences (../, ..%2f, %2e%2e/) targeting hexpm storage endpoints
- Unusual file access patterns in web server logs indicating attempts to access files outside storage directories
- Anomalous file read, write, or delete operations in directories outside the configured hexpm storage location
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns
- Monitor web server access logs for suspicious URL patterns with encoded or unencoded directory traversal sequences
- Deploy file integrity monitoring on sensitive directories to detect unauthorized access or modifications
Monitoring Recommendations
- Enable verbose logging for the hexpm application to capture detailed request information
- Set up alerts for failed file access attempts outside the expected storage bucket paths
- Monitor system calls related to file operations from the hexpm process for anomalous behavior
How to Mitigate CVE-2026-23939
Immediate Actions Required
- Update hexpm to the patched version (commit 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 or later) immediately
- Review access logs for any indication of prior exploitation attempts
- Consider temporarily switching to cloud-based storage backends if immediate patching is not possible
- Restrict network access to self-hosted hexpm instances to trusted networks only
Patch Information
The vulnerability has been addressed in commit 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0. The fix properly distinguishes between bucket directory paths and relative file paths by renaming variables and ensuring path operations are constrained to the intended storage directories.
For detailed patch information, refer to the GitHub Security Advisory GHSA-42mv-r64p-4869 and the GitHub commit with the fix.
Workarounds
- Switch to cloud-based storage backends (S3, GCS) which are not affected by this vulnerability
- Implement network-level access controls to restrict access to the hexpm instance
- Deploy a reverse proxy with path validation rules to filter malicious requests before they reach the application
# Example: Restrict hexpm access to internal network only using iptables
iptables -A INPUT -p tcp --dport 4000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 4000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
