High severity7.5NVD Advisory· Published Feb 27, 2026· Updated Apr 6, 2026

CVE-2026-21619

Description

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.

This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
hex_coreHex	< 0.12.1	0.12.1

Affected products

Erlang/Rebar3
cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*
Range: >=3.9.1,<3.27.0
Hex/Hex
cpe:2.3:a:hex:hex:*:*:*:*:*:*:*:*
Range: >=2.3.0,<2.3.2
Hex/Hex Core
cpe:2.3:a:hex:hex_core:*:*:*:*:*:*:*:*
Range: >=0.1.0,<0.12.1

Patches

1d4478f527e3

Vendor hex_core 0.12.2

https://github.com/erlang/rebar3Fred HebertFeb 27, 2026via ghsa

commit

24 files changed · +883 −26

apps/rebar/src/vendored/r3_hex_api.erl+7 −2 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API
@@ -106,7 +106,12 @@ request(Config, Method, Path, Body) when is_binary(Path) and is_map(Config) ->
             Response =
                 case binary:match(ContentType, ?ERL_CONTENT_TYPE) of
                     {_, _} ->
-                        {ok, {Status, RespHeaders, binary_to_term(RespBody)}};
+                        case r3_hex_safe_binary_to_term:safe_binary_to_term(RespBody) of
+                            {ok, Term} ->
+                                {ok, {Status, RespHeaders, Term}};
+                            {error, Reason} ->
+                                {error, Reason}
+                        end;
                     nomatch ->
                         {ok, {Status, RespHeaders, nil}}
                 end,

apps/rebar/src/vendored/r3_hex_api_key.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Keys.

apps/rebar/src/vendored/r3_hex_api_package.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Packages.

apps/rebar/src/vendored/r3_hex_api_package_owner.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Package Owners.

apps/rebar/src/vendored/r3_hex_api_release.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Releases.

apps/rebar/src/vendored/r3_hex_api_user.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Users.

apps/rebar/src/vendored/r3_hex_core.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% `hex_core' entrypoint module.

apps/rebar/src/vendored/r3_hex_core.hrl+2 −2 modified

@@ -1,3 +1,3 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
--define(HEX_CORE_VERSION, "0.12.0").
+-define(HEX_CORE_VERSION, "0.12.1").

apps/rebar/src/vendored/r3_hex_erl_tar.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @private
 %% Copied from https://github.com/erlang/otp/blob/OTP-20.0.1/lib/stdlib/src/erl_tar.erl

apps/rebar/src/vendored/r3_hex_erl_tar.hrl+3 −3 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 % Copied from https://github.com/erlang/otp/blob/OTP-20.0.1/lib/stdlib/src/erl_tar.hrl
 
@@ -36,7 +36,7 @@
 %% Options used when reading a tar archive.
 -record(read_opts, {
           cwd                    :: string(),  %% Current working directory.
-          keep_old_files = false :: boolean(), %% Overwrite or not.
+          keep_old_files = false :: boolean(), %% Owerwrite or not.
           files = all,                         %% Set of files to extract (or all)
           output = file :: 'file' | 'memory',
           open_mode = [],                      %% Open mode options.
@@ -202,7 +202,7 @@
 %% These constants (except S_IFMT) are
 %% used to determine what type of device
 %% a file is. Namely, `S_IFMT band file_info.mode`
-%% will equal one of these constants, and tells us
+%% will equal one of these contants, and tells us
 %% which type it is. The stdlib file_info record
 %% does not differentiate between device types, and
 %% will not allow us to differentiate between sockets

apps/rebar/src/vendored/r3_hex_filename.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 % @private
 % Excerpt from https://github.com/erlang/otp/blob/OTP-20.0.1/lib/stdlib/src/filename.erl#L761-L788

apps/rebar/src/vendored/r3_hex_http.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% HTTP contract.

apps/rebar/src/vendored/r3_hex_http_httpc.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% httpc-based implementation of {@link r3_hex_http} contract.

apps/rebar/src/vendored/r3_hex_licenses.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex Licenses.

apps/rebar/src/vendored/r3_hex_pb_names.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_pb_package.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_pb_signed.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_pb_versions.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_registry.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Functions for encoding and decoding Hex registries.

apps/rebar/src/vendored/r3_hex_repo.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Repo API.

apps/rebar/src/vendored/r3_hex_safe_binary_to_term.erl+94 −0 added

@@ -0,0 +1,94 @@
+%% Vendored from hex_core v0.12.1, do not edit manually
+
+%% @hidden
+%% Safe deserialization of Erlang terms from binary.
+%%
+%% This module provides a restricted version of `binary_to_term/1' that:
+%% - Uses the `safe' option to prevent creation of new atoms (DoS protection)
+%% - Validates that the term contains no executable code (RCE protection)
+%%
+%% Inspired by Plug.Crypto's non_executable_binary_to_term:
+%% https://github.com/elixir-plug/plug_crypto/blob/c326c3c743b18cf5f4b12735d06dd90c72dcd779/lib/plug/crypto.ex
+-module(r3_hex_safe_binary_to_term).
+
+-export([safe_binary_to_term/1]).
+
+-type unsafe_term() :: function() | port().
+-type error_reason() :: invalid_term | {unsafe_term, unsafe_term()}.
+
+-spec safe_binary_to_term(binary()) -> {ok, term()} | {error, error_reason()}.
+safe_binary_to_term(Binary) when is_binary(Binary) ->
+    try binary_to_term(Binary, [safe]) of
+        Term ->
+            case validate_term(Term) of
+                ok -> {ok, Term};
+                {error, _} = Error -> Error
+            end
+    catch
+        error:badarg ->
+            {error, invalid_term}
+    end.
+
+-spec validate_term(term()) -> ok | {error, {unsafe_term, term()}}.
+validate_term(Term) when is_list(Term) ->
+    validate_list(Term);
+validate_term(Term) when is_tuple(Term) ->
+    validate_tuple(Term, tuple_size(Term));
+validate_term(Term) when is_map(Term) ->
+    validate_map(Term);
+validate_term(Term) when
+    is_atom(Term);
+    is_number(Term);
+    is_bitstring(Term);
+    is_pid(Term);
+    is_reference(Term)
+->
+    ok;
+validate_term(Term) ->
+    {error, {unsafe_term, Term}}.
+
+-spec validate_list(list()) -> ok | {error, {unsafe_term, term()}}.
+validate_list([]) ->
+    ok;
+validate_list([H | T]) when is_list(T) ->
+    case validate_term(H) of
+        ok -> validate_list(T);
+        Error -> Error
+    end;
+validate_list([H | T]) ->
+    %% Improper list
+    case validate_term(H) of
+        ok -> validate_term(T);
+        Error -> Error
+    end.
+
+-spec validate_tuple(tuple(), non_neg_integer()) -> ok | {error, {unsafe_term, term()}}.
+validate_tuple(_Tuple, 0) ->
+    ok;
+validate_tuple(Tuple, N) ->
+    case validate_term(element(N, Tuple)) of
+        ok -> validate_tuple(Tuple, N - 1);
+        Error -> Error
+    end.
+
+-spec validate_map(map()) -> ok | {error, {unsafe_term, term()}}.
+validate_map(Map) ->
+    try
+        maps:fold(
+            fun(Key, Value, ok) ->
+                case validate_term(Key) of
+                    ok ->
+                        case validate_term(Value) of
+                            ok -> ok;
+                            Error -> throw(Error)
+                        end;
+                    Error ->
+                        throw(Error)
+                end
+            end,
+            ok,
+            Map
+        )
+    catch
+        throw:{error, _} = Error -> Error
+    end.

apps/rebar/src/vendored/r3_hex_tarball.erl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Functions for creating and unpacking Hex tarballs.

apps/rebar/src/vendored/r3_safe_erl_term.erl+758 −0 added

@@ -0,0 +1,758 @@
+-file("/Users/ferd/local/bin/erls/28.3.1/lib/parsetools-2.7/include/leexinc.hrl", 0).
+%%
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: BSD-2-Clause
+%%
+%% Copyright (c) 2008,2009 Robert Virding. All rights reserved.
+%% Copyright Ericsson AB 2009-2025. All Rights Reserved.
+%%
+%% Redistribution and use in source and binary forms, with or without
+%% modification, are permitted provided that the following conditions
+%% are met:
+%%
+%% 1. Redistributions of source code must retain the above copyright
+%% notice, this list of conditions and the following disclaimer.
+%% 2. Redistributions in binary form must reproduce the above copyright
+%% notice, this list of conditions and the following disclaimer in the
+%% documentation and/or other materials provided with the distribution.
+%%
+%% THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+%% "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+%% LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+%% FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+%% COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+%% INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+%% BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+%% LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+%% CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+%% LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+%% ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+%% POSSIBILITY OF SUCH DAMAGE.
+%%
+%% %CopyrightEnd%
+%% 
+
+%% The source of this file is part of leex distribution, as such it
+%% has the same Copyright as the other files in the leex
+%% distribution. However, the resultant scanner generated by leex is the
+%% property of the creator of the scanner and is not covered by that
+%% Copyright.
+
+-module(r3_safe_erl_term).
+
+-export([string/1,string/2,token/2,token/3,tokens/2,tokens/3]).
+-export([format_error/1]).
+
+%% User code. This is placed here to allow extra attributes.
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.xrl", 26).
+
+-export([terms/1]).
+
+terms(Tokens) ->
+  terms(Tokens, []).
+
+terms([{dot, _} = H], Buffer) ->
+  [buffer_to_term([H|Buffer])];
+terms([{dot, _} = H|T], Buffer) ->
+  [buffer_to_term([H|Buffer])|terms(T, [])];
+terms([H|T], Buffer) ->
+  terms(T, [H|Buffer]).
+
+buffer_to_term(Buffer) ->
+  {ok, Term} = erl_parse:parse_term(lists:reverse(Buffer)),
+  Term.
+
+unquote(TokenChars, TokenLen) ->
+  lists:sublist(TokenChars, 2, TokenLen - 2).
+
+tokenize_atom(TokenChars, TokenLine) ->
+  try list_to_existing_atom(TokenChars) of
+    Atom -> {token, {atom, TokenLine, Atom}}
+  catch
+    error:badarg -> {error, "illegal atom " ++ TokenChars}
+  end.
+
+escape([$\\|Cs]) ->
+  do_escape(Cs);
+escape([C|Cs]) ->
+  [C|escape(Cs)];
+escape([]) -> [].
+
+do_escape([O1,O2,O3|S]) when
+    O1 >= $0, O1 =< $7, O2 >= $0, O2 =< $7, O3 >= $0, O3 =< $7 ->
+  [(O1*8 + O2)*8 + O3 - 73*$0|escape(S)];
+do_escape([$^,C|Cs]) ->
+  [C band 31|escape(Cs)];
+do_escape([C|Cs]) when C >= $\000, C =< $\s ->
+  escape(Cs);
+do_escape([C|Cs]) ->
+  [escape_char(C)|escape(Cs)].
+
+escape_char($n) -> $\n;       %\n = LF
+escape_char($r) -> $\r;       %\r = CR
+escape_char($t) -> $\t;       %\t = TAB
+escape_char($v) -> $\v;       %\v = VT
+escape_char($b) -> $\b;       %\b = BS
+escape_char($f) -> $\f;       %\f = FF
+escape_char($e) -> $\e;       %\e = ESC
+escape_char($s) -> $\s;       %\s = SPC
+escape_char($d) -> $\d;       %\d = DEL
+escape_char(C) -> C.
+
+-file("/Users/ferd/local/bin/erls/28.3.1/lib/parsetools-2.7/include/leexinc.hrl", 47).
+
+format_error({illegal,S}) -> ["illegal characters ",io_lib:write_string(S)];
+format_error({user,S}) -> S.
+
+%% string(InChars) ->
+%% string(InChars, Loc) ->
+%% {ok,Tokens,EndLoc} | {error,ErrorInfo,EndLoc}.
+%% Loc is the starting location of the token, while EndLoc is the first not scanned
+%% location. Location is either Line or {Line,Column}, depending on the "error_location" option.
+
+string(Ics) -> 
+    string(Ics,1).
+string(Ics,L0) -> 
+    string(Ics, L0, 1, Ics, []).
+string(Ics, L0, C0, Tcs, Ts) -> 
+    case do_string(Ics, L0, C0, Tcs, Ts) of
+        {ok, T, {L,_}} -> {ok, T, L};
+        {error, {{EL,_},M,D}, {L,_}} ->
+            EI = {EL,M,D},
+            {error, EI, L}
+    end.
+
+do_string([], L, C, [], Ts) ->                     % No partial tokens!
+    {ok,yyrev(Ts),{L,C}};
+do_string(Ics0, L0, C0, Tcs, Ts) ->
+    case yystate(yystate(), Ics0, L0, C0, 0, reject, 0) of
+        {A,Alen,Ics1,L1,_C1} ->                  % Accepting end state
+            C2 = adjust_col(Tcs, Alen, C0),
+            string_cont(Ics1, L1, C2, yyaction(A, Alen, Tcs, L0, C0), Ts);
+        {A,Alen,Ics1,L1,_C1,_S1} ->              % Accepting transition state
+            C2 = adjust_col(Tcs, Alen, C0),
+            string_cont(Ics1, L1, C2, yyaction(A, Alen, Tcs, L0, C0), Ts);
+        {reject,_Alen,Tlen,_Ics1,_L1,_C1,_S1} ->  % After a non-accepting state
+            {error,{{L0, C0} ,?MODULE,{illegal,yypre(Tcs, Tlen+1)}},{L0, C0}};
+        {A,Alen,Tlen,_Ics1,L1, C1,_S1}->
+            Tcs1 = yysuf(Tcs, Alen),
+            L2 = adjust_line(Tlen, Alen, Tcs1, L1),
+            C2 = adjust_col(Tcs, Alen, C1),
+            string_cont(Tcs1, L2, C2, yyaction(A, Alen, Tcs, L0,C0), Ts)
+    end.
+
+%% string_cont(RestChars, Line, Col, Token, Tokens)
+%% Test for and remove the end token wrapper. Push back characters
+%% are prepended to RestChars.
+
+-dialyzer({nowarn_function, string_cont/5}).
+
+string_cont(Rest, Line, Col, {token,T}, Ts) ->
+    do_string(Rest, Line, Col, Rest, [T|Ts]);
+string_cont(Rest, Line, Col, {token,T,Push}, Ts) ->
+    NewRest = Push ++ Rest,
+    do_string(NewRest, Line, Col, NewRest, [T|Ts]);
+string_cont(Rest, Line, Col, {end_token,T}, Ts) ->
+    do_string(Rest, Line, Col, Rest, [T|Ts]);
+string_cont(Rest, Line, Col, {end_token,T,Push}, Ts) ->
+    NewRest = Push ++ Rest,
+    do_string(NewRest, Line, Col, NewRest, [T|Ts]);
+string_cont(Rest, Line, Col, skip_token, Ts) ->
+    do_string(Rest, Line, Col, Rest, Ts);
+string_cont(Rest, Line, Col, {skip_token,Push}, Ts) ->
+    NewRest = Push ++ Rest,
+    do_string(NewRest, Line, Col, NewRest, Ts);
+string_cont(_Rest, Line, Col, {error,S}, _Ts) ->
+    {error,{{Line, Col},?MODULE,{user,S}},{Line,Col}}.
+
+%% token(Continuation, Chars) ->
+%% token(Continuation, Chars, Loc) ->
+%% {more,Continuation} | {done,ReturnVal,RestChars}.
+%% Must be careful when re-entering to append the latest characters to the
+%% after characters in an accept. The continuation is:
+%% {token,State,CurrLine,CurrCol,TokenChars,TokenLen,TokenLine,TokenCol,AccAction,AccLen}
+
+token(Cont,Chars) -> 
+    token(Cont,Chars,1).
+token(Cont, Chars, Line) -> 
+    case do_token(Cont,Chars,Line,1) of
+        {more, _} = C -> C;
+        {done, Ret0, R} ->
+            Ret1 = case Ret0 of
+                {ok, T, {L,_}} -> {ok, T, L};
+                {eof, {L,_}} -> {eof, L};
+                {error, {{EL,_},M,D},{L,_}} -> {error, {EL,M,D},L}
+            end,
+            {done, Ret1, R}
+    end.
+
+do_token([], Chars, Line, Col) ->
+    token(yystate(), Chars, Line, Col, Chars, 0, Line, Col, reject, 0);
+do_token({token,State,Line,Col,Tcs,Tlen,Tline,Tcol,Action,Alen}, Chars, _, _) ->
+    token(State, Chars, Line, Col, Tcs ++ Chars, Tlen, Tline, Tcol, Action, Alen).
+
+%% token(State, InChars, Line, Col, TokenChars, TokenLen, TokenLine, TokenCol
+%% AcceptAction, AcceptLen) ->
+%% {more,Continuation} | {done,ReturnVal,RestChars}.
+%% The argument order is chosen to be more efficient.
+
+token(S0, Ics0, L0, C0, Tcs, Tlen0, Tline, Tcol, A0, Alen0) ->
+    case yystate(S0, Ics0, L0, C0, Tlen0, A0, Alen0) of
+        %% Accepting end state, we have a token.
+        {A1,Alen1,Ics1,L1,C1} ->
+            C2 = adjust_col(Tcs, Alen1, C1),
+            token_cont(Ics1, L1, C2, yyaction(A1, Alen1, Tcs, Tline,Tcol));
+        %% Accepting transition state, can take more chars.
+        {A1,Alen1,[],L1,C1,S1} ->                  % Need more chars to check
+            {more,{token,S1,L1,C1,Tcs,Alen1,Tline,Tcol,A1,Alen1}};
+        {A1,Alen1,Ics1,L1,C1,_S1} ->               % Take what we got
+            C2 = adjust_col(Tcs, Alen1, C1),
+            token_cont(Ics1, L1, C2, yyaction(A1, Alen1, Tcs, Tline,Tcol));
+        %% After a non-accepting state, maybe reach accept state later.
+        {A1,Alen1,Tlen1,[],L1,C1,S1} ->            % Need more chars to check
+            {more,{token,S1,L1,C1,Tcs,Tlen1,Tline,Tcol,A1,Alen1}};
+        {reject,_Alen1,Tlen1,eof,L1,C1,_S1} ->     % No token match
+            %% Check for partial token which is error.
+            Ret = if Tlen1 > 0 -> {error,{{Tline,Tcol},?MODULE,
+                                          %% Skip eof tail in Tcs.
+                                          {illegal,yypre(Tcs, Tlen1)}},{L1,C1}};
+                     true -> {eof,{L1,C1}}
+                  end,
+            {done,Ret,eof};
+        {reject,_Alen1,Tlen1,Ics1,_L1,_C1,_S1} ->    % No token match
+            Error = {{Tline,Tcol},?MODULE,{illegal,yypre(Tcs, Tlen1+1)}},
+            {done,{error,Error,{Tline,Tcol}},Ics1};
+        {A1,Alen1,Tlen1,_Ics1,L1,_C1,_S1} ->       % Use last accept match
+            Tcs1 = yysuf(Tcs, Alen1),
+            L2 = adjust_line(Tlen1, Alen1, Tcs1, L1),
+            C2 = C0 + Alen1,
+            token_cont(Tcs1, L2, C2, yyaction(A1, Alen1, Tcs, Tline, Tcol))
+    end.
+
+%% token_cont(RestChars, Line, Col, Token)
+%% If we have a token or error then return done, else if we have a
+%% skip_token then continue.
+
+-dialyzer({nowarn_function, token_cont/4}).
+
+token_cont(Rest, Line, Col, {token,T}) ->
+    {done,{ok,T,{Line,Col}},Rest};
+token_cont(Rest, Line, Col, {token,T,Push}) ->
+    NewRest = Push ++ Rest,
+    {done,{ok,T,{Line,Col}},NewRest};
+token_cont(Rest, Line, Col, {end_token,T}) ->
+    {done,{ok,T,{Line,Col}},Rest};
+token_cont(Rest, Line, Col, {end_token,T,Push}) ->
+    NewRest = Push ++ Rest,
+    {done,{ok,T,{Line,Col}},NewRest};
+token_cont(Rest, Line, Col, skip_token) ->
+    token(yystate(), Rest, Line, Col, Rest, 0, Line, Col, reject, 0);
+token_cont(Rest, Line, Col, {skip_token,Push}) ->
+    NewRest = Push ++ Rest,
+    token(yystate(), NewRest, Line, Col, NewRest, 0, Line, Col, reject, 0);
+token_cont(Rest, Line, Col, {error,S}) ->
+    {done,{error,{{Line, Col},?MODULE,{user,S}},{Line, Col}},Rest}.
+
+%% tokens(Continuation, Chars) ->
+%% tokens(Continuation, Chars, Loc) ->
+%% {more,Continuation} | {done,ReturnVal,RestChars}.
+%% Must be careful when re-entering to append the latest characters to the
+%% after characters in an accept. The continuation is:
+%% {tokens,State,CurrLine,CurrCol,TokenChars,TokenLen,TokenLine,TokenCur,Tokens,AccAction,AccLen}
+%% {skip_tokens,State,CurrLine,CurrCol,TokenChars,TokenLen,TokenLine,TokenCur,Error,AccAction,AccLen}
+
+tokens(Cont,Chars) -> 
+    tokens(Cont,Chars,1).
+tokens(Cont, Chars, Line) -> 
+    case do_tokens(Cont,Chars,Line,1) of
+        {more, _} = C -> C;
+        {done, Ret0, R} ->
+            Ret1 = case Ret0 of
+                {ok, T, {L,_}} -> {ok, T, L};
+                {eof, {L,_}} -> {eof, L};
+                {error, {{EL,_},M,D},{L,_}} -> {error, {EL,M,D},L}
+            end,
+            {done, Ret1, R}
+    end.
+
+do_tokens([], Chars, Line, Col) ->
+    tokens(yystate(), Chars, Line, Col, Chars, 0, Line, Col, [], reject, 0);
+do_tokens({tokens,State,Line,Col,Tcs,Tlen,Tline,Tcol,Ts,Action,Alen}, Chars, _,_) ->
+    tokens(State, Chars, Line, Col, Tcs ++ Chars, Tlen, Tline, Tcol, Ts, Action, Alen);
+do_tokens({skip_tokens,State,Line, Col, Tcs,Tlen,Tline,Tcol,Error,Action,Alen}, Chars, _,_) ->
+    skip_tokens(State, Chars, Line, Col, Tcs ++ Chars, Tlen, Tline, Tcol, Error, Action, Alen).
+
+%% tokens(State, InChars, Line, Col, TokenChars, TokenLen, TokenLine, TokenCol,Tokens,
+%% AcceptAction, AcceptLen) ->
+%% {more,Continuation} | {done,ReturnVal,RestChars}.
+
+tokens(S0, Ics0, L0, C0, Tcs, Tlen0, Tline, Tcol, Ts, A0, Alen0) ->
+    case yystate(S0, Ics0, L0, C0, Tlen0, A0, Alen0) of
+        %% Accepting end state, we have a token.
+        {A1,Alen1,Ics1,L1,C1} ->
+            C2 = adjust_col(Tcs, Alen1, C1),
+            tokens_cont(Ics1, L1, C2, yyaction(A1, Alen1, Tcs, Tline, Tcol), Ts);
+        %% Accepting transition state, can take more chars.
+        {A1,Alen1,[],L1,C1,S1} ->                  % Need more chars to check
+            {more,{tokens,S1,L1,C1,Tcs,Alen1,Tline,Tcol,Ts,A1,Alen1}};
+        {A1,Alen1,Ics1,L1,C1,_S1} ->               % Take what we got
+            C2 = adjust_col(Tcs, Alen1, C1),
+            tokens_cont(Ics1, L1, C2, yyaction(A1, Alen1, Tcs, Tline,Tcol), Ts);
+        %% After a non-accepting state, maybe reach accept state later.
+        {A1,Alen1,Tlen1,[],L1,C1,S1} ->            % Need more chars to check
+            {more,{tokens,S1,L1,C1,Tcs,Tlen1,Tline,Tcol,Ts,A1,Alen1}};
+        {reject,_Alen1,Tlen1,eof,L1,C1,_S1} ->     % No token match
+            %% Check for partial token which is error, no need to skip here.
+            Ret = if Tlen1 > 0 -> {error,{{Tline,Tcol},?MODULE,
+                                          %% Skip eof tail in Tcs.
+                                          {illegal,yypre(Tcs, Tlen1)}},{L1,C1}};
+                     Ts == [] -> {eof,{L1,C1}};
+                     true -> {ok,yyrev(Ts),{L1,C1}}
+                  end,
+            {done,Ret,eof};
+        {reject,_Alen1,Tlen1,_Ics1,L1,C1,_S1} ->
+            %% Skip rest of tokens.
+            Error = {{L1,C1},?MODULE,{illegal,yypre(Tcs, Tlen1+1)}},
+            skip_tokens(yysuf(Tcs, Tlen1+1), L1, C1, Error);
+        {A1,Alen1,Tlen1,_Ics1,L1,_C1,_S1} ->
+            Token = yyaction(A1, Alen1, Tcs, Tline,Tcol),
+            Tcs1 = yysuf(Tcs, Alen1),
+            L2 = adjust_line(Tlen1, Alen1, Tcs1, L1),
+            C2 = C0 + Alen1,
+            tokens_cont(Tcs1, L2, C2, Token, Ts)
+    end.
+
+%% tokens_cont(RestChars, Line, Column, Token, Tokens)
+%% If we have an end_token or error then return done, else if we have
+%% a token then save it and continue, else if we have a skip_token
+%% just continue.
+
+-dialyzer({nowarn_function, tokens_cont/5}).
+
+tokens_cont(Rest, Line, Col, {token,T}, Ts) ->
+    tokens(yystate(), Rest, Line, Col, Rest, 0, Line, Col, [T|Ts], reject, 0);
+tokens_cont(Rest, Line, Col, {token,T,Push}, Ts) ->
+    NewRest = Push ++ Rest,
+    tokens(yystate(), NewRest, Line, Col, NewRest, 0, Line, Col, [T|Ts], reject, 0);
+tokens_cont(Rest, Line, Col, {end_token,T}, Ts) ->
+    {done,{ok,yyrev(Ts, [T]),{Line,Col}},Rest};
+tokens_cont(Rest, Line, Col, {end_token,T,Push}, Ts) ->
+    NewRest = Push ++ Rest,
+    {done,{ok,yyrev(Ts, [T]),{Line, Col}},NewRest};
+tokens_cont(Rest, Line, Col, skip_token, Ts) ->
+    tokens(yystate(), Rest, Line, Col, Rest, 0, Line, Col, Ts, reject, 0);
+tokens_cont(Rest, Line, Col, {skip_token,Push}, Ts) ->
+    NewRest = Push ++ Rest,
+    tokens(yystate(), NewRest, Line, Col, NewRest, 0, Line, Col, Ts, reject, 0);
+tokens_cont(Rest, Line, Col, {error,S}, _Ts) ->
+    skip_tokens(Rest, Line, Col, {{Line,Col},?MODULE,{user,S}}).
+
+%% skip_tokens(InChars, Line, Col, Error) -> {done,{error,Error,{Line,Col}},Ics}.
+%% Skip tokens until an end token, junk everything and return the error.
+
+skip_tokens(Ics, Line, Col, Error) ->
+    skip_tokens(yystate(), Ics, Line, Col, Ics, 0, Line, Col, Error, reject, 0).
+
+%% skip_tokens(State, InChars, Line, Col, TokenChars, TokenLen, TokenLine, TokenCol, Tokens,
+%% AcceptAction, AcceptLen) ->
+%% {more,Continuation} | {done,ReturnVal,RestChars}.
+
+skip_tokens(S0, Ics0, L0, C0, Tcs, Tlen0, Tline, Tcol, Error, A0, Alen0) ->
+    case yystate(S0, Ics0, L0, C0, Tlen0, A0, Alen0) of
+        {A1,Alen1,Ics1,L1, C1} ->                  % Accepting end state
+            skip_cont(Ics1, L1, C1, yyaction(A1, Alen1, Tcs, Tline, Tcol), Error);
+        {A1,Alen1,[],L1,C1, S1} ->                 % After an accepting state
+            {more,{skip_tokens,S1,L1,C1,Tcs,Alen1,Tline,Tcol,Error,A1,Alen1}};
+        {A1,Alen1,Ics1,L1,C1,_S1} ->
+            skip_cont(Ics1, L1, C1, yyaction(A1, Alen1, Tcs, Tline, Tcol), Error);
+        {A1,Alen1,Tlen1,[],L1,C1,S1} ->           % After a non-accepting state
+            {more,{skip_tokens,S1,L1,C1,Tcs,Tlen1,Tline,Tcol,Error,A1,Alen1}};
+        {reject,_Alen1,_Tlen1,eof,L1,C1,_S1} ->
+            {done,{error,Error,{L1,C1}},eof};
+        {reject,_Alen1,Tlen1,_Ics1,L1,C1,_S1} ->
+            skip_tokens(yysuf(Tcs, Tlen1+1), L1, C1,Error);
+        {A1,Alen1,Tlen1,_Ics1,L1,C1,_S1} ->
+            Token = yyaction(A1, Alen1, Tcs, Tline, Tcol),
+            Tcs1 = yysuf(Tcs, Alen1),
+            L2 = adjust_line(Tlen1, Alen1, Tcs1, L1),
+            skip_cont(Tcs1, L2, C1, Token, Error)
+    end.
+
+%% skip_cont(RestChars, Line, Col, Token, Error)
+%% Skip tokens until we have an end_token or error then return done
+%% with the original rror.
+
+-dialyzer({nowarn_function, skip_cont/5}).
+
+skip_cont(Rest, Line, Col, {token,_T}, Error) ->
+    skip_tokens(yystate(), Rest, Line, Col, Rest, 0, Line, Col, Error, reject, 0);
+skip_cont(Rest, Line, Col, {token,_T,Push}, Error) ->
+    NewRest = Push ++ Rest,
+    skip_tokens(yystate(), NewRest, Line, Col, NewRest, 0, Line, Col, Error, reject, 0);
+skip_cont(Rest, Line, Col, {end_token,_T}, Error) ->
+    {done,{error,Error,{Line,Col}},Rest};
+skip_cont(Rest, Line, Col, {end_token,_T,Push}, Error) ->
+    NewRest = Push ++ Rest,
+    {done,{error,Error,{Line,Col}},NewRest};
+skip_cont(Rest, Line, Col, skip_token, Error) ->
+    skip_tokens(yystate(), Rest, Line, Col, Rest, 0, Line, Col, Error, reject, 0);
+skip_cont(Rest, Line, Col, {skip_token,Push}, Error) ->
+    NewRest = Push ++ Rest,
+    skip_tokens(yystate(), NewRest, Line, Col, NewRest, 0, Line, Col, Error, reject, 0);
+skip_cont(Rest, Line, Col, {error,_S}, Error) ->
+    skip_tokens(yystate(), Rest, Line, Col, Rest, 0, Line, Col, Error, reject, 0).
+
+-compile({nowarn_unused_function, [yyrev/1, yyrev/2, yypre/2, yysuf/2]}).
+
+yyrev(List) -> lists:reverse(List).
+yyrev(List, Tail) -> lists:reverse(List, Tail).
+yypre(List, N) -> lists:sublist(List, N).
+yysuf(List, N) -> lists:nthtail(N, List).
+
+%% adjust_line(TokenLength, AcceptLength, Chars, Line) -> NewLine
+%% Make sure that newlines in Chars are not counted twice.
+%% Line has been updated with respect to newlines in the prefix of
+%% Chars consisting of (TokenLength - AcceptLength) characters.
+
+-compile({nowarn_unused_function, adjust_line/4}).
+
+adjust_line(N, N, _Cs, L) -> L;
+adjust_line(T, A, [$\n|Cs], L) ->
+    adjust_line(T-1, A, Cs, L-1);
+adjust_line(T, A, [_|Cs], L) ->
+    adjust_line(T-1, A, Cs, L).
+
+%% adjust_col(Chars, AcceptLength, Col) -> NewCol
+%% Handle newlines, tabs and unicode chars.
+adjust_col(_, 0, Col) ->
+    Col;
+adjust_col([$\n | R], L, _) ->
+    adjust_col(R, L-1, 1);
+adjust_col([$\t | R], L, Col) ->
+    adjust_col(R, L-1, tab_forward(Col)+1);
+adjust_col([C | R], L, Col) when C>=0 andalso C=< 16#7F ->
+    adjust_col(R, L-1, Col+1);
+adjust_col([C | R], L, Col) when C>= 16#80 andalso C=< 16#7FF ->
+    adjust_col(R, L-1, Col+2);
+adjust_col([C | R], L, Col) when C>= 16#800 andalso C=< 16#FFFF ->
+    adjust_col(R, L-1, Col+3);
+adjust_col([C | R], L, Col) when C>= 16#10000 andalso C=< 16#10FFFF ->
+    adjust_col(R, L-1, Col+4).
+
+tab_forward(C) ->
+    D = C rem tab_size(),
+    A = tab_size()-D,
+    C+A.
+
+tab_size() -> 8.
+
+%% yystate() -> InitialState.
+%% yystate(State, InChars, Line, Col, CurrTokLen, AcceptAction, AcceptLen) ->
+%% {Action, AcceptLen, RestChars, Line, Col} |
+%% {Action, AcceptLen, RestChars, Line, Col, State} |
+%% {reject, AcceptLen, CurrTokLen, RestChars, Line, Col, State} |
+%% {Action, AcceptLen, CurrTokLen, RestChars, Line, Col, State}.
+%% Generated state transition functions. The non-accepting end state
+%% return signal either an unrecognised character or end of current
+%% input.
+
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.erl", 425).
+yystate() -> 12.
+
+yystate(19, [92|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(15, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(19, [34|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(7, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(19, [10|Ics], Line, _, Tlen, Action, Alen) ->
+    yystate(8, Ics, Line+1, 1, Tlen+1, Action, Alen);
+yystate(19, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 0, C =< 9 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(19, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 11, C =< 33 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(19, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 35, C =< 91 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(19, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 93 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(19, Ics, Line, Col, Tlen, Action, Alen) ->
+    {Action,Alen,Tlen,Ics,Line,Col,19};
+yystate(18, [92|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(14, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(18, [39|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(10, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(18, [10|Ics], Line, _, Tlen, Action, Alen) ->
+    yystate(5, Ics, Line+1, 1, Tlen+1, Action, Alen);
+yystate(18, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 0, C =< 9 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(18, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 11, C =< 38 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(18, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 40, C =< 91 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(18, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 93 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(18, Ics, Line, Col, Tlen, Action, Alen) ->
+    {Action,Alen,Tlen,Ics,Line,Col,18};
+yystate(17, [60|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(11, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(17, Ics, Line, Col, Tlen, Action, Alen) ->
+    {Action,Alen,Tlen,Ics,Line,Col,17};
+yystate(16, [10|Ics], Line, _, Tlen, _, _) ->
+    yystate(16, Ics, Line+1, 1, Tlen+1, 8, Tlen);
+yystate(16, [C|Ics], Line, Col, Tlen, _, _) when C >= 0, C =< 9 ->
+    yystate(16, Ics, Line, Col, Tlen+1, 8, Tlen);
+yystate(16, [C|Ics], Line, Col, Tlen, _, _) when C >= 11, C =< 32 ->
+    yystate(16, Ics, Line, Col, Tlen+1, 8, Tlen);
+yystate(16, Ics, Line, Col, Tlen, _, _) ->
+    {8,Tlen,Ics,Line,Col,16};
+yystate(15, [94|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(19, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(15, [93|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(15, [92|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(15, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(15, [34|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(7, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(15, [10|Ics], Line, _, Tlen, Action, Alen) ->
+    yystate(8, Ics, Line+1, 1, Tlen+1, Action, Alen);
+yystate(15, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 0, C =< 9 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(15, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 11, C =< 33 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(15, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 35, C =< 91 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(15, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 95 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(15, Ics, Line, Col, Tlen, Action, Alen) ->
+    {Action,Alen,Tlen,Ics,Line,Col,15};
+yystate(14, [94|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(18, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(14, [93|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(14, [92|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(14, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(14, [39|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(10, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(14, [10|Ics], Line, _, Tlen, Action, Alen) ->
+    yystate(5, Ics, Line+1, 1, Tlen+1, Action, Alen);
+yystate(14, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 0, C =< 9 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(14, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 11, C =< 38 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(14, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 40, C =< 91 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(14, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 95 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(14, Ics, Line, Col, Tlen, Action, Alen) ->
+    {Action,Alen,Tlen,Ics,Line,Col,14};
+yystate(13, Ics, Line, Col, Tlen, _, _) ->
+    {4,Tlen,Ics,Line,Col};
+yystate(12, [125|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(13, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [123|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(13, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [93|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(13, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [91|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(13, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [62|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(3, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [61|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(3, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [60|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(17, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [47|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(1, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [46|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(6, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [39|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [35|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(13, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [34|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [10|Ics], Line, _, Tlen, Action, Alen) ->
+    yystate(16, Ics, Line+1, 1, Tlen+1, Action, Alen);
+yystate(12, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 0, C =< 9 ->
+    yystate(16, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 11, C =< 32 ->
+    yystate(16, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 43, C =< 45 ->
+    yystate(13, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 48, C =< 57 ->
+    yystate(9, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 97, C =< 122 ->
+    yystate(4, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(12, Ics, Line, Col, Tlen, Action, Alen) ->
+    {Action,Alen,Tlen,Ics,Line,Col,12};
+yystate(11, Ics, Line, Col, Tlen, _, _) ->
+    {5,Tlen,Ics,Line,Col};
+yystate(10, [92|Ics], Line, Col, Tlen, _, _) ->
+    yystate(14, Ics, Line, Col, Tlen+1, 1, Tlen);
+yystate(10, [39|Ics], Line, Col, Tlen, _, _) ->
+    yystate(2, Ics, Line, Col, Tlen+1, 1, Tlen);
+yystate(10, [10|Ics], Line, _, Tlen, _, _) ->
+    yystate(5, Ics, Line+1, 1, Tlen+1, 1, Tlen);
+yystate(10, [C|Ics], Line, Col, Tlen, _, _) when C >= 0, C =< 9 ->
+    yystate(5, Ics, Line, Col, Tlen+1, 1, Tlen);
+yystate(10, [C|Ics], Line, Col, Tlen, _, _) when C >= 11, C =< 38 ->
+    yystate(5, Ics, Line, Col, Tlen+1, 1, Tlen);
+yystate(10, [C|Ics], Line, Col, Tlen, _, _) when C >= 40, C =< 91 ->
+    yystate(5, Ics, Line, Col, Tlen+1, 1, Tlen);
+yystate(10, [C|Ics], Line, Col, Tlen, _, _) when C >= 93 ->
+    yystate(5, Ics, Line, Col, Tlen+1, 1, Tlen);
+yystate(10, Ics, Line, Col, Tlen, _, _) ->
+    {1,Tlen,Ics,Line,Col,10};
+yystate(9, [C|Ics], Line, Col, Tlen, _, _) when C >= 48, C =< 57 ->
+    yystate(9, Ics, Line, Col, Tlen+1, 3, Tlen);
+yystate(9, Ics, Line, Col, Tlen, _, _) ->
+    {3,Tlen,Ics,Line,Col,9};
+yystate(8, [92|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(15, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(8, [34|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(0, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(8, [10|Ics], Line, _, Tlen, Action, Alen) ->
+    yystate(8, Ics, Line+1, 1, Tlen+1, Action, Alen);
+yystate(8, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 0, C =< 9 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(8, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 11, C =< 33 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(8, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 35, C =< 91 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(8, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 93 ->
+    yystate(8, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(8, Ics, Line, Col, Tlen, Action, Alen) ->
+    {Action,Alen,Tlen,Ics,Line,Col,8};
+yystate(7, [92|Ics], Line, Col, Tlen, _, _) ->
+    yystate(15, Ics, Line, Col, Tlen+1, 2, Tlen);
+yystate(7, [34|Ics], Line, Col, Tlen, _, _) ->
+    yystate(0, Ics, Line, Col, Tlen+1, 2, Tlen);
+yystate(7, [10|Ics], Line, _, Tlen, _, _) ->
+    yystate(8, Ics, Line+1, 1, Tlen+1, 2, Tlen);
+yystate(7, [C|Ics], Line, Col, Tlen, _, _) when C >= 0, C =< 9 ->
+    yystate(8, Ics, Line, Col, Tlen+1, 2, Tlen);
+yystate(7, [C|Ics], Line, Col, Tlen, _, _) when C >= 11, C =< 33 ->
+    yystate(8, Ics, Line, Col, Tlen+1, 2, Tlen);
+yystate(7, [C|Ics], Line, Col, Tlen, _, _) when C >= 35, C =< 91 ->
+    yystate(8, Ics, Line, Col, Tlen+1, 2, Tlen);
+yystate(7, [C|Ics], Line, Col, Tlen, _, _) when C >= 93 ->
+    yystate(8, Ics, Line, Col, Tlen+1, 2, Tlen);
+yystate(7, Ics, Line, Col, Tlen, _, _) ->
+    {2,Tlen,Ics,Line,Col,7};
+yystate(6, Ics, Line, Col, Tlen, _, _) ->
+    {6,Tlen,Ics,Line,Col};
+yystate(5, [92|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(14, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(5, [39|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(2, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(5, [10|Ics], Line, _, Tlen, Action, Alen) ->
+    yystate(5, Ics, Line+1, 1, Tlen+1, Action, Alen);
+yystate(5, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 0, C =< 9 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(5, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 11, C =< 38 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(5, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 40, C =< 91 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(5, [C|Ics], Line, Col, Tlen, Action, Alen) when C >= 93 ->
+    yystate(5, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(5, Ics, Line, Col, Tlen, Action, Alen) ->
+    {Action,Alen,Tlen,Ics,Line,Col,5};
+yystate(4, [95|Ics], Line, Col, Tlen, _, _) ->
+    yystate(4, Ics, Line, Col, Tlen+1, 0, Tlen);
+yystate(4, [64|Ics], Line, Col, Tlen, _, _) ->
+    yystate(4, Ics, Line, Col, Tlen+1, 0, Tlen);
+yystate(4, [C|Ics], Line, Col, Tlen, _, _) when C >= 48, C =< 57 ->
+    yystate(4, Ics, Line, Col, Tlen+1, 0, Tlen);
+yystate(4, [C|Ics], Line, Col, Tlen, _, _) when C >= 65, C =< 90 ->
+    yystate(4, Ics, Line, Col, Tlen+1, 0, Tlen);
+yystate(4, [C|Ics], Line, Col, Tlen, _, _) when C >= 97, C =< 122 ->
+    yystate(4, Ics, Line, Col, Tlen+1, 0, Tlen);
+yystate(4, Ics, Line, Col, Tlen, _, _) ->
+    {0,Tlen,Ics,Line,Col,4};
+yystate(3, [62|Ics], Line, Col, Tlen, Action, Alen) ->
+    yystate(11, Ics, Line, Col, Tlen+1, Action, Alen);
+yystate(3, Ics, Line, Col, Tlen, Action, Alen) ->
+    {Action,Alen,Tlen,Ics,Line,Col,3};
+yystate(2, Ics, Line, Col, Tlen, _, _) ->
+    {1,Tlen,Ics,Line,Col};
+yystate(1, Ics, Line, Col, Tlen, _, _) ->
+    {7,Tlen,Ics,Line,Col};
+yystate(0, Ics, Line, Col, Tlen, _, _) ->
+    {2,Tlen,Ics,Line,Col};
+yystate(S, Ics, Line, Col, Tlen, Action, Alen) ->
+    {Action,Alen,Tlen,Ics,Line,Col,S}.
+
+%% yyaction(Action, TokenLength, TokenChars, TokenLine, TokenCol) ->
+%% {token,Token} | {end_token, Token} | skip_token | {error,String}.
+%% Generated action function.
+
+yyaction(0, TokenLen, YYtcs, TokenLine, _) ->
+    TokenChars = yypre(YYtcs, TokenLen),
+    yyaction_0(TokenChars, TokenLine);
+yyaction(1, TokenLen, YYtcs, TokenLine, _) ->
+    TokenChars = yypre(YYtcs, TokenLen),
+    yyaction_1(TokenChars, TokenLen, TokenLine);
+yyaction(2, TokenLen, YYtcs, TokenLine, _) ->
+    TokenChars = yypre(YYtcs, TokenLen),
+    yyaction_2(TokenChars, TokenLen, TokenLine);
+yyaction(3, TokenLen, YYtcs, TokenLine, _) ->
+    TokenChars = yypre(YYtcs, TokenLen),
+    yyaction_3(TokenChars, TokenLine);
+yyaction(4, TokenLen, YYtcs, TokenLine, _) ->
+    TokenChars = yypre(YYtcs, TokenLen),
+    yyaction_4(TokenChars, TokenLine);
+yyaction(5, TokenLen, YYtcs, TokenLine, _) ->
+    TokenChars = yypre(YYtcs, TokenLen),
+    yyaction_5(TokenChars, TokenLine);
+yyaction(6, _, _, TokenLine, _) ->
+    yyaction_6(TokenLine);
+yyaction(7, _, _, TokenLine, _) ->
+    yyaction_7(TokenLine);
+yyaction(8, _, _, _, _) ->
+    yyaction_8();
+yyaction(_, _, _, _, _) -> error.
+
+-compile({inline,yyaction_0/2}).
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.xrl", 14).
+yyaction_0(TokenChars, TokenLine) ->
+     tokenize_atom (TokenChars, TokenLine) .
+
+-compile({inline,yyaction_1/3}).
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.xrl", 15).
+yyaction_1(TokenChars, TokenLen, TokenLine) ->
+     tokenize_atom (escape (unquote (TokenChars, TokenLen)), TokenLine) .
+
+-compile({inline,yyaction_2/3}).
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.xrl", 16).
+yyaction_2(TokenChars, TokenLen, TokenLine) ->
+     { token, { string, TokenLine, escape (unquote (TokenChars, TokenLen)) } } .
+
+-compile({inline,yyaction_3/2}).
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.xrl", 17).
+yyaction_3(TokenChars, TokenLine) ->
+     { token, { integer, TokenLine, list_to_integer (TokenChars) } } .
+
+-compile({inline,yyaction_4/2}).
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.xrl", 18).
+yyaction_4(TokenChars, TokenLine) ->
+     { token, { list_to_atom (TokenChars), TokenLine } } .
+
+-compile({inline,yyaction_5/2}).
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.xrl", 19).
+yyaction_5(TokenChars, TokenLine) ->
+     { token, { list_to_atom (TokenChars), TokenLine } } .
+
+-compile({inline,yyaction_6/1}).
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.xrl", 20).
+yyaction_6(TokenLine) ->
+     { token, { dot, TokenLine } } .
+
+-compile({inline,yyaction_7/1}).
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.xrl", 21).
+yyaction_7(TokenLine) ->
+     { token, { '/', TokenLine } } .
+
+-compile({inline,yyaction_8/0}).
+-file("/Users/ferd/code/self/rebar3/apps/rebar/src/vendored/r3_safe_erl_term.xrl", 22).
+yyaction_8() ->
+     skip_token .
+-file("/Users/ferd/local/bin/erls/28.3.1/lib/parsetools-2.7/include/leexinc.hrl", 377).

apps/rebar/src/vendored/r3_safe_erl_term.xrl+1 −1 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %%% Author  : Robert Virding
 %%% Purpose : Token definitions for Erlang.

cdf726095bca

Merge commit from fork

https://github.com/hexpm/hex_coreJonatan MännchenFeb 27, 2026via ghsa

commit

3 files changed · +266 −1

src/hex_api.erl+6 −1 modified

@@ -104,7 +104,12 @@ request(Config, Method, Path, Body) when is_binary(Path) and is_map(Config) ->
             Response =
                 case binary:match(ContentType, ?ERL_CONTENT_TYPE) of
                     {_, _} ->
-                        {ok, {Status, RespHeaders, binary_to_term(RespBody)}};
+                        case hex_safe_binary_to_term:safe_binary_to_term(RespBody) of
+                            {ok, Term} ->
+                                {ok, {Status, RespHeaders, Term}};
+                            {error, Reason} ->
+                                {error, Reason}
+                        end;
                     nomatch ->
                         {ok, {Status, RespHeaders, nil}}
                 end,

src/hex_safe_binary_to_term.erl+92 −0 added

@@ -0,0 +1,92 @@
+%% @hidden
+%% Safe deserialization of Erlang terms from binary.
+%%
+%% This module provides a restricted version of `binary_to_term/1' that:
+%% - Uses the `safe' option to prevent creation of new atoms (DoS protection)
+%% - Validates that the term contains no executable code (RCE protection)
+%%
+%% Inspired by Plug.Crypto's non_executable_binary_to_term:
+%% https://github.com/elixir-plug/plug_crypto/blob/c326c3c743b18cf5f4b12735d06dd90c72dcd779/lib/plug/crypto.ex
+-module(hex_safe_binary_to_term).
+
+-export([safe_binary_to_term/1]).
+
+-type unsafe_term() :: function() | port().
+-type error_reason() :: invalid_term | {unsafe_term, unsafe_term()}.
+
+-spec safe_binary_to_term(binary()) -> {ok, term()} | {error, error_reason()}.
+safe_binary_to_term(Binary) when is_binary(Binary) ->
+    try binary_to_term(Binary, [safe]) of
+        Term ->
+            case validate_term(Term) of
+                ok -> {ok, Term};
+                {error, _} = Error -> Error
+            end
+    catch
+        error:badarg ->
+            {error, invalid_term}
+    end.
+
+-spec validate_term(term()) -> ok | {error, {unsafe_term, term()}}.
+validate_term(Term) when is_list(Term) ->
+    validate_list(Term);
+validate_term(Term) when is_tuple(Term) ->
+    validate_tuple(Term, tuple_size(Term));
+validate_term(Term) when is_map(Term) ->
+    validate_map(Term);
+validate_term(Term) when
+    is_atom(Term);
+    is_number(Term);
+    is_bitstring(Term);
+    is_pid(Term);
+    is_reference(Term)
+->
+    ok;
+validate_term(Term) ->
+    {error, {unsafe_term, Term}}.
+
+-spec validate_list(list()) -> ok | {error, {unsafe_term, term()}}.
+validate_list([]) ->
+    ok;
+validate_list([H | T]) when is_list(T) ->
+    case validate_term(H) of
+        ok -> validate_list(T);
+        Error -> Error
+    end;
+validate_list([H | T]) ->
+    %% Improper list
+    case validate_term(H) of
+        ok -> validate_term(T);
+        Error -> Error
+    end.
+
+-spec validate_tuple(tuple(), non_neg_integer()) -> ok | {error, {unsafe_term, term()}}.
+validate_tuple(_Tuple, 0) ->
+    ok;
+validate_tuple(Tuple, N) ->
+    case validate_term(element(N, Tuple)) of
+        ok -> validate_tuple(Tuple, N - 1);
+        Error -> Error
+    end.
+
+-spec validate_map(map()) -> ok | {error, {unsafe_term, term()}}.
+validate_map(Map) ->
+    try
+        maps:fold(
+            fun(Key, Value, ok) ->
+                case validate_term(Key) of
+                    ok ->
+                        case validate_term(Value) of
+                            ok -> ok;
+                            Error -> throw(Error)
+                        end;
+                    Error ->
+                        throw(Error)
+                end
+            end,
+            ok,
+            Map
+        )
+    catch
+        throw:{error, _} = Error -> Error
+    end.

test/hex_safe_binary_to_term_SUITE.erl+168 −0 added

@@ -0,0 +1,168 @@
+-module(hex_safe_binary_to_term_SUITE).
+
+-compile([export_all]).
+
+-include_lib("eunit/include/eunit.hrl").
+-include_lib("common_test/include/ct.hrl").
+
+all() ->
+    [
+        safe_complex_term_test,
+        safe_atoms_test,
+        safe_numbers_test,
+        safe_binaries_test,
+        safe_bitstrings_test,
+        safe_lists_test,
+        safe_tuples_test,
+        safe_maps_test,
+        safe_nested_structures_test,
+        safe_pids_test,
+        safe_references_test,
+        safe_improper_list_test,
+        unsafe_function_test,
+        unsafe_nested_function_test,
+        unsafe_function_in_map_key_test,
+        unsafe_function_in_map_value_test,
+        unsafe_port_test,
+        invalid_binary_test,
+        rejects_unknown_atoms_test
+    ].
+
+%% Safe term tests
+
+%% Test inspired by Plug.Crypto's non_executable_binary_to_term test:
+%% https://github.com/elixir-plug/plug_crypto/blob/c326c3c743b18cf5f4b12735d06dd90c72dcd779/test/plug/crypto_test.exs
+safe_complex_term_test(_Config) ->
+    %% Complex nested structure similar to Plug.Crypto test:
+    %% %{1 => {:foo, ["bar", 2.0, %URI{}, [self() | make_ref()], <<0::4>>]}}
+    %% Using Elixir struct representation to test map with __struct__ key
+    Struct = #{'__struct__' => 'Elixir.URI', authority => <<"example.com">>},
+    Value = #{
+        1 => {foo, [<<"bar">>, 2.0, Struct, [self() | make_ref()], <<0:4>>]}
+    },
+    Binary = term_to_binary(Value),
+    {ok, Value} = hex_safe_binary_to_term:safe_binary_to_term(Binary),
+    ok.
+
+safe_atoms_test(_Config) ->
+    Term = hello,
+    Binary = term_to_binary(Term),
+    {ok, hello} = hex_safe_binary_to_term:safe_binary_to_term(Binary),
+    ok.
+
+safe_numbers_test(_Config) ->
+    Integer = 42,
+    Float = 3.14,
+    {ok, 42} = hex_safe_binary_to_term:safe_binary_to_term(term_to_binary(Integer)),
+    {ok, 3.14} = hex_safe_binary_to_term:safe_binary_to_term(term_to_binary(Float)),
+    ok.
+
+safe_binaries_test(_Config) ->
+    Binary = <<"hello world">>,
+    {ok, <<"hello world">>} = hex_safe_binary_to_term:safe_binary_to_term(term_to_binary(Binary)),
+    ok.
+
+safe_bitstrings_test(_Config) ->
+    %% Bitstring that is not byte-aligned (4 bits)
+    Bitstring = <<0:4>>,
+    {ok, <<0:4>>} = hex_safe_binary_to_term:safe_binary_to_term(term_to_binary(Bitstring)),
+    ok.
+
+safe_lists_test(_Config) ->
+    List = [1, 2, 3, <<"test">>, atom],
+    {ok, [1, 2, 3, <<"test">>, atom]} = hex_safe_binary_to_term:safe_binary_to_term(
+        term_to_binary(List)
+    ),
+    ok.
+
+safe_tuples_test(_Config) ->
+    Tuple = {ok, <<"data">>, 123},
+    {ok, {ok, <<"data">>, 123}} = hex_safe_binary_to_term:safe_binary_to_term(
+        term_to_binary(Tuple)
+    ),
+    ok.
+
+safe_maps_test(_Config) ->
+    Map = #{<<"key">> => <<"value">>, atom_key => 123},
+    {ok, #{<<"key">> := <<"value">>, atom_key := 123}} =
+        hex_safe_binary_to_term:safe_binary_to_term(term_to_binary(Map)),
+    ok.
+
+safe_nested_structures_test(_Config) ->
+    Nested = #{
+        <<"list">> => [1, {2, 3}, #{<<"nested">> => true}],
+        <<"tuple">> => {ok, [a, b, c]}
+    },
+    {ok, Result} = hex_safe_binary_to_term:safe_binary_to_term(term_to_binary(Nested)),
+    Nested = Result,
+    ok.
+
+safe_pids_test(_Config) ->
+    Pid = self(),
+    {ok, Pid} = hex_safe_binary_to_term:safe_binary_to_term(term_to_binary(Pid)),
+    ok.
+
+safe_references_test(_Config) ->
+    Ref = make_ref(),
+    {ok, Ref} = hex_safe_binary_to_term:safe_binary_to_term(term_to_binary(Ref)),
+    ok.
+
+safe_improper_list_test(_Config) ->
+    %% Improper list: [self() | make_ref()] as in Plug.Crypto test
+    ImproperList = [self() | make_ref()],
+    {ok, ImproperList} = hex_safe_binary_to_term:safe_binary_to_term(term_to_binary(ImproperList)),
+    ok.
+
+%% Unsafe term tests
+
+unsafe_function_test(_Config) ->
+    Fun = fun() -> ok end,
+    Binary = term_to_binary(Fun),
+    {error, {unsafe_term, _}} = hex_safe_binary_to_term:safe_binary_to_term(Binary),
+    ok.
+
+unsafe_nested_function_test(_Config) ->
+    %% Test inspired by Plug.Crypto: %{1 => {:foo, [fn -> :bar end]}}
+    Fun = fun() -> bar end,
+    Nested = #{1 => {foo, [Fun]}},
+    Binary = term_to_binary(Nested),
+    {error, {unsafe_term, _}} = hex_safe_binary_to_term:safe_binary_to_term(Binary),
+    ok.
+
+unsafe_function_in_map_key_test(_Config) ->
+    Fun = fun() -> ok end,
+    Map = #{Fun => value},
+    Binary = term_to_binary(Map),
+    {error, {unsafe_term, _}} = hex_safe_binary_to_term:safe_binary_to_term(Binary),
+    ok.
+
+unsafe_function_in_map_value_test(_Config) ->
+    Fun = fun() -> ok end,
+    Map = #{key => Fun},
+    Binary = term_to_binary(Map),
+    {error, {unsafe_term, _}} = hex_safe_binary_to_term:safe_binary_to_term(Binary),
+    ok.
+
+unsafe_port_test(_Config) ->
+    Port = open_port({spawn, "cat"}, []),
+    Binary = term_to_binary(Port),
+    port_close(Port),
+    {error, {unsafe_term, _}} = hex_safe_binary_to_term:safe_binary_to_term(Binary),
+    ok.
+
+%% Error handling tests
+
+invalid_binary_test(_Config) ->
+    {error, invalid_term} = hex_safe_binary_to_term:safe_binary_to_term(
+        <<"not a valid term">>
+    ),
+    ok.
+
+%% Test inspired by Plug.Crypto: <<131, 100, 0, 7, 103, 114, 105, 102, 102, 105, 110>>
+%% This is a binary encoding of an atom that doesn't exist in the atom table.
+%% The 'safe' option should reject it to prevent atom table exhaustion attacks.
+rejects_unknown_atoms_test(_Config) ->
+    %% Binary encoding of atom 'griffin' which shouldn't exist
+    Binary = <<131, 100, 0, 7, 103, 114, 105, 102, 102, 105, 110>>,
+    {error, invalid_term} = hex_safe_binary_to_term:safe_binary_to_term(Binary),
+    ok.

636739f33225

Fix unsafe deserialization of Erlang terms in API responses

https://github.com/hexpm/hexEric Meadows-JönssonFeb 27, 2026via ghsa

commit

2 files changed · +101 −2

src/mix_hex_api.erl+7 −2 modified

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0 (1cdf3eb), do not edit manually
+%% Vendored from hex_core MANUALLY!, do not edit manually
 
 %% @doc
 %% Hex HTTP API
@@ -106,7 +106,12 @@ request(Config, Method, Path, Body) when is_binary(Path) and is_map(Config) ->
             Response =
                 case binary:match(ContentType, ?ERL_CONTENT_TYPE) of
                     {_, _} ->
-                        {ok, {Status, RespHeaders, binary_to_term(RespBody)}};
+                        case mix_hex_safe_binary_to_term:safe_binary_to_term(RespBody) of
+                            {ok, Term} ->
+                                {ok, {Status, RespHeaders, Term}};
+                            {error, Reason} ->
+                                {error, Reason}
+                        end;
                     nomatch ->
                         {ok, {Status, RespHeaders, nil}}
                 end,

src/mix_hex_safe_binary_to_term.erl+94 −0 added

@@ -0,0 +1,94 @@
+%% Vendored from hex_core MANUALLY!, do not edit manually
+
+%% @hidden
+%% Safe deserialization of Erlang terms from binary.
+%%
+%% This module provides a restricted version of `binary_to_term/1' that:
+%% - Uses the `safe' option to prevent creation of new atoms (DoS protection)
+%% - Validates that the term contains no executable code (RCE protection)
+%%
+%% Inspired by Plug.Crypto's non_executable_binary_to_term:
+%% https://github.com/elixir-plug/plug_crypto/blob/c326c3c743b18cf5f4b12735d06dd90c72dcd779/lib/plug/crypto.ex
+-module(mix_hex_safe_binary_to_term).
+
+-export([safe_binary_to_term/1]).
+
+-type unsafe_term() :: function() | port().
+-type error_reason() :: invalid_term | {unsafe_term, unsafe_term()}.
+
+-spec safe_binary_to_term(binary()) -> {ok, term()} | {error, error_reason()}.
+safe_binary_to_term(Binary) when is_binary(Binary) ->
+    try binary_to_term(Binary, [safe]) of
+        Term ->
+            case validate_term(Term) of
+                ok -> {ok, Term};
+                {error, _} = Error -> Error
+            end
+    catch
+        error:badarg ->
+            {error, invalid_term}
+    end.
+
+-spec validate_term(term()) -> ok | {error, {unsafe_term, term()}}.
+validate_term(Term) when is_list(Term) ->
+    validate_list(Term);
+validate_term(Term) when is_tuple(Term) ->
+    validate_tuple(Term, tuple_size(Term));
+validate_term(Term) when is_map(Term) ->
+    validate_map(Term);
+validate_term(Term) when
+    is_atom(Term);
+    is_number(Term);
+    is_bitstring(Term);
+    is_pid(Term);
+    is_reference(Term)
+->
+    ok;
+validate_term(Term) ->
+    {error, {unsafe_term, Term}}.
+
+-spec validate_list(list()) -> ok | {error, {unsafe_term, term()}}.
+validate_list([]) ->
+    ok;
+validate_list([H | T]) when is_list(T) ->
+    case validate_term(H) of
+        ok -> validate_list(T);
+        Error -> Error
+    end;
+validate_list([H | T]) ->
+    %% Improper list
+    case validate_term(H) of
+        ok -> validate_term(T);
+        Error -> Error
+    end.
+
+-spec validate_tuple(tuple(), non_neg_integer()) -> ok | {error, {unsafe_term, term()}}.
+validate_tuple(_Tuple, 0) ->
+    ok;
+validate_tuple(Tuple, N) ->
+    case validate_term(element(N, Tuple)) of
+        ok -> validate_tuple(Tuple, N - 1);
+        Error -> Error
+    end.
+
+-spec validate_map(map()) -> ok | {error, {unsafe_term, term()}}.
+validate_map(Map) ->
+    try
+        maps:fold(
+            fun(Key, Value, ok) ->
+                case validate_term(Key) of
+                    ok ->
+                        case validate_term(Value) of
+                            ok -> ok;
+                            Error -> throw(Error)
+                        end;
+                    Error ->
+                        throw(Error)
+                end
+            end,
+            ok,
+            Map
+        )
+    catch
+        throw:{error, _} = Error -> Error
+    end.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9dnvdPatchWEB
github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95nvdPatchWEB
github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13nvdPatchWEB
github.com/advisories/GHSA-hx9w-f2w9-9g96ghsaADVISORY
github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96nvdMitigationVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-21619ghsaADVISORY
cna.erlef.org/cves/CVE-2026-21619.htmlnvdWEB
osv.dev/vulnerability/EEF-CVE-2026-21619nvdWEB

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

Probability of exploitation in the next 30 days.

0.07%

VYPR risk score

Composite of severity, exploitation, and reach.

0.42medium

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

Weaknesses

CWE-400
Uncontrolled Resource Consumption
CWE-502
Deserialization of Untrusted Data

CVE ID

CVE-2026-21619

Source code

github.com/hexpm/hex_core

Credits

ML
Michael Lubas / Paraxial.ia
finder
R
realcorvus
finder · ghsa
EM
Eric Meadows-Jönsson / Hex.pm
remediation reviewer
JM
Jonatan Männchen / EEF
remediation developer
M
maennchen
remediation_developer · ghsa