Erlang Rebar3
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Erlang Rebar3.
By the Year
In 2026 there have been 1 vulnerability in Erlang Rebar3. Rebar3 did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 9.80 |
| 2019 | 1 | 8.80 |
It may take a day or so for new Rebar3 vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Erlang Rebar3 Security Vulnerabilities
Uncontrolled Resource Use in hexpm Hex_core/Hex & Rebar3 <0.12.1/2.3.2/3.27.0
CVE-2026-21619
- February 27, 2026
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Resource Exhaustion
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection
CVE-2020-13802
9.8 - Critical
- September 02, 2020
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.
Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry verification
CVE-2019-1000014
8.8 - High
- February 04, 2019
Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via Victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 3.8.0.
Improper Input Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Erlang Rebar3 or by Erlang? Click the Watch button to subscribe.
