CVE-2026-32148 hexpm hex数据真实性验证不足漏洞

# Conceptual PoC demonstrating the type mismatch issue in CVE-2026-32148 # The vulnerability occurs because Hex.Utils.lock/1 returns string keys, # but the verification logic expects atom keys. defmodule MockHexVuln do # Simulates the lock data returned by Hex.Utils.lock/1 (Strings) def get_lock_data_strings do %{"package_name" => "some_checksum"} end # Simulates the resolved dependencies (Atoms) def get_resolved_deps_atoms do %{package_name: "some_checksum"} end # Simulates the vulnerable verification logic def verify_resolved_vulnerable(lock_data, resolved_deps) do # The logic iterates over resolved_deps (atoms) Enum.each(resolved_deps, fn {dep_name_atom, _checksum} -> # But tries to look up in lock_data (strings) # This lookup fails because :package_name != "package_name" case Map.get(lock_data, dep_name_atom) do nil -> # Verification path skipped silently IO.puts("[VULNERABLE] Verification skipped for: #{dep_name_atom}") _ -> IO.puts("Verification passed") end end) end end # Execution lock = MockHexVuln.get_lock_data_strings() deps = MockHexVuln.get_resolved_deps_atoms() MockHexVuln.verify_resolved_vulnerable(lock, deps)