GHSA-hx9w-f2w9-9g96

### Impact

The Hex client (`hex_core`) deserializes Erlang terms received from the Hex API using `binary_to_term/1` without sufficient restrictions.

If an attacker can control the HTTP response body returned by the Hex API, this allows denial-of-service attacks such as **atom table exhaustion**, leading to a VM crash. No released versions are known to allow remote code execution.

### Patches

* https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13 * https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95 * https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d

### Workarounds

Ensure that the Hex API URL (`HEX_API_URL`) points only to trusted endpoints. There is no client-side workaround that fully mitigates this issue without applying the patch.

### Resources

* hex_core Module: https://github.com/hexpm/hex_core/blob/main/src/hex_api.erl * Hex Vendored Module: https://github.com/hexpm/hex/blob/main/src/mix_hex_api.erl * Rebar3 Vendored Module: https://github.com/erlang/rebar3/blob/main/apps/rebar/src/vendored/r3_hex_api.erl * hex_core Patch: https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13 * Hex Vendored Patch: https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95 * Rebar3 Vendored Patch: https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d