Security advisory: Decimal DoS vulnerability

maennchen · May 7, 2026, 2:28pm

Security advisory: Decimal DoS vulnerability

A vulnerability has been published for decimal where very large exponents can cause excessive memory allocation and crash the BEAM VM.

Affected versions: decimal < 3.0.0
Fixed in: decimal 3.0.0
CVE: CVE-2026-32686
GHSA: GHSA-rhv4-8758-jx7v

We recommend updating immediately.

decimal v3.0.0 enforces safer defaults. This is technically a breaking change, but for most use cases it should not require application changes. If needed, we recommend overriding the dependency explicitly:

{:decimal, "~> 3.0", override: true}

dimitarvp · May 12, 2026, 1:41am

Just upgraded to 3.0.0 and ran a pretty slow financial test suite from scratch. No regressions! Great work, thank you.

Hermanverschooten · May 12, 2026, 6:31am

Better upgrade to 3.1, 3.0 has a bug that causes an infinite loop.

It caused my tests to hang.

adamzapasnik · May 12, 2026, 8:08am

Thank you for reporting it.

Does anyone know/understand why mix deps.audit doesn’t report it?

maennchen · May 12, 2026, 8:23am

MixAudit relies on the GitHub Advisory DB. It is unfortunately often a few days out of date. In this case as well.

We’re however working on integrating this directly as warnings in deps.get and hex.audit. (Currently only checks for retirement status; You can already see the vulnerabilities on hex.pm package pages).

The data there relies on OSV.dev and therefore directly contains EEF CNA, GHSA and other reporters, see OSV - Open Source Vulnerabilities

adamzapasnik · May 12, 2026, 8:55am

Thanks for the explanation, now I get the reason for this post I guess . I didn’t know it was absent from the GitHub Advisory DB, I assumed it was there already since it’s been assigned GHSA ID

Happy to know that you’re aware of it and there is work being done to improve the tools

dimitarvp · May 12, 2026, 12:37pm

Well I actually mistyped. I’m on 3.1.0 indeed.