Search
Find a vulnerability
Search criteria
8 vulnerabilities found for mdex_native by leandrocp
CVE-2026-54888 (GCVE-0-2026-54888)
Vulnerability from nvd – Published: 2026-06-29 19:10 – Updated: 2026-06-30 04:37
VLAI
Title
Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex
Summary
Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.
mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.
Because the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.
The vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54888.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54888 | related |
| https://github.com/leandrocp/mdex_native/commit/9… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.3.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
d0bc7d55177727c61d188ef465178ab3b81f4f2c , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 947696c47bc22bea5dffc0f78c946fa6b70ce183
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54888",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:47:22.348133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:47:50.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"comrak_nif",
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.Native\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs",
"lib/mdex.ex",
"lib/mdex/native.ex"
],
"programRoutines": [
{
"name": "comrak_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "comrak_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.3.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"comrak_nif",
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.Native\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs",
"lib/mdex.ex",
"lib/mdex/native.ex"
],
"programRoutines": [
{
"name": "comrak_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "comrak_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "d0bc7d55177727c61d188ef465178ab3b81f4f2c",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mdex_native_nif",
"\u0027Elixir.MDExNative.Native\u0027"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs",
"lib/mdex_native/native.ex"
],
"programRoutines": [
{
"name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mdex_native_nif",
"\u0027Elixir.MDExNative.Native\u0027"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs",
"lib/mdex_native/native.ex"
],
"programRoutines": [
{
"name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "947696c47bc22bea5dffc0f78c946fa6b70ce183",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\u003c/p\u003e\u003cp\u003emdex converts between an Elixir \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, \u003ctt\u003eex_document_to_comrak_ast\u003c/tt\u003e and \u003ctt\u003ecomrak_ast_to_ex_document\u003c/tt\u003e, in the NIF source file \u003ctt\u003edocument.rs\u003c/tt\u003e. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through \u003ctt\u003eMDEx.parse_document!/1\u003c/tt\u003e or \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\u003c/p\u003e\u003cp\u003eBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\n\nmdex converts between an Elixir %MDEx.Document{} struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\n\nBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\n\nThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:37:59.369Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54888.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54888"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/947696c47bc22bea5dffc0f78c946fa6b70ce183"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54888",
"datePublished": "2026-06-29T19:10:38.151Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-30T04:37:59.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53429 (GCVE-0-2026-53429)
Vulnerability from nvd – Published: 2026-06-29 19:07 – Updated: 2026-06-30 04:38
VLAI
Title
Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service
Summary
Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.
The native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From<ExEscapedTag> for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.
Both the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.
Any application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53429.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53429 | related |
| https://github.com/leandrocp/mdex_native/commit/c… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
81e4d14dd3aa5b206e395c7f372b9b413793015f , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < cbd927fb5061b488de8d90a8ef6df65718ca1fe6
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53429",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:45:00.827777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:45:38.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "comrak_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "comrak_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "81e4d14dd3aa5b206e395c7f372b9b413793015f",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "cbd927fb5061b488de8d90a8ef6df65718ca1fe6",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\u003cp\u003eThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each \u003ctt\u003e%MDEx.EscapedTag{}\u003c/tt\u003e node into its native representation (\u003ctt\u003eFrom\u0026lt;ExEscapedTag\u0026gt; for NodeValue\u003c/tt\u003e in the Rust NIF) calls \u003ctt\u003eBox::leak\u003c/tt\u003e on the caller-supplied \u003ctt\u003eliteral\u003c/tt\u003e string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\u003c/p\u003e\u003cp\u003eBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks \u003ctt\u003eliteral_size \u0026times; node_count\u003c/tt\u003e bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e entry point and any other API that renders a supplied \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eAny application that uses \u003ctt\u003emdex\u003c/tt\u003e (or \u003ctt\u003emdex_native\u003c/tt\u003e directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/types/document.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/types/document.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\n\nThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From\u003cExEscapedTag\u003e for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\n\nBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.\n\nAny application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:14.140Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53429.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53429"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/cbd927fb5061b488de8d90a8ef6df65718ca1fe6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53429",
"datePublished": "2026-06-29T19:07:16.954Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:14.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53428 (GCVE-0-2026-53428)
Vulnerability from nvd – Published: 2026-06-29 18:52 – Updated: 2026-06-30 04:38
VLAI
Title
Unbounded memory allocation in highlight_lines range expansion in mdex
Summary
Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.
comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range.
A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53428.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53428 | related |
| https://github.com/leandrocp/mdex_native/commit/7… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
a8407611715d1ead35fbcba79c72cef1b7df387b , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:17:11.005816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:17:25.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "a8407611715d1ead35fbcba79c72cef1b7df387b",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eExploitation requires the application to enable code-block decorators. Decorators are active only when the render options \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e are both set and an inline syntax-highlight formatter (for example \u003ctt\u003e{:html_inline, ...}\u003c/tt\u003e) is configured. Applications that render Markdown with the default options do not parse \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications and are not affected.\u003c/p\u003e"
}
],
"value": "Exploitation requires the application to enable code-block decorators. Decorators are active only when the render options github_pre_lang and full_info_string are both set and an inline syntax-highlight formatter (for example {:html_inline, ...}) is configured. Applications that render Markdown with the default options do not parse highlight_lines specifications and are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\u003cp\u003e\u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s \u003ctt\u003ehighlight_lines\u003c/tt\u003e decorator into a \u003ctt\u003eVec\u0026lt;usize\u0026gt;\u003c/tt\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with \u003ctt\u003eMDEx.to_html/2\u003c/tt\u003e (for example a comment, chat message, or wiki page) can embed a code block whose info string is \u003ctt\u003erust highlight_lines=\"1-100000000\"\u003c/tt\u003e, forcing the native adapter to allocate roughly 8 bytes per line in the range.\u003c/p\u003e\u003cp\u003eA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example \u003ctt\u003e1-2000000000\u003c/tt\u003e) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\n\ncomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s highlight_lines decorator into a Vec\u003cusize\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines=\"1-100000000\", forcing the native adapter to allocate roughly 8 bytes per line in the range.\n\nA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789 Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:36.755Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-j93q-9cvj-rxfm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53428.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53428"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded memory allocation in highlight_lines range expansion in mdex",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable code-block decorators: leave the \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e render options unset, or avoid configuring an inline syntax-highlight formatter, so that \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications are never parsed.\u003c/p\u003e"
}
],
"value": "Do not enable code-block decorators: leave the github_pre_lang and full_info_string render options unset, or avoid configuring an inline syntax-highlight formatter, so that highlight_lines specifications are never parsed."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53428",
"datePublished": "2026-06-29T18:52:36.199Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:36.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53427 (GCVE-0-2026-53427)
Vulnerability from nvd – Published: 2026-06-29 18:50 – Updated: 2026-06-30 04:37
VLAI
Title
Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.
When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.
An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53427.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53427 | related |
| https://github.com/leandrocp/mdex_native/commit/7… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.3 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
0d7ffc84ea742e1daf666426814e5bb6d0499433 , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:18:13.166991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:19:28.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "0d7ffc84ea742e1daf666426814e5bb6d0499433",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example \u003ctt\u003esyntax_highlight: [formatter: {:html_inline, ...}]\u003c/tt\u003e or \u003ctt\u003e{:html_linked, ...}\u003c/tt\u003e) and with full info-string forwarding enabled (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e). Full info-string forwarding is required for comrak to hand the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.\u003c/p\u003e"
}
],
"value": "The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax_highlight: [formatter: {:html_inline, ...}] or {:html_linked, ...}) and with full info-string forwarding enabled (render: [full_info_string: true]). Full info-string forwarding is required for comrak to hand the highlight_lines_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\u003c/p\u003e\u003cp\u003eWhen syntax highlighting and full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) are enabled, the Lumis adapter copies the value of a code fence\u0027s \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e info-string attribute, unescaped, into the \u003ctt\u003eclass\u003c/tt\u003e attribute of every rendered line. \u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e shlex-parses the info string and stores each \u003ctt\u003ekey=value\u003c/tt\u003e pair verbatim, \u003ctt\u003ehighlight_lines_config\u003c/tt\u003e pulls \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e into the per-line class value, and \u003ctt\u003ewrite_highlighted\u003c/tt\u003e interpolates that value directly into the \u003ctt\u003eclass\u003c/tt\u003e attribute of the per-line \u003ctt\u003e\u0026lt;div\u0026gt;\u003c/tt\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u003ctt\u003e\u0027\u0026quot;\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\u0027\u003c/tt\u003e terminates the \u003ctt\u003eclass\u003c/tt\u003e attribute early and the markup that follows is emitted as live HTML.\u003c/p\u003e\u003cp\u003eAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\n\nWhen syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence\u0027s highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line \u003cdiv\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u0027\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u0027 terminates the class attribute early and the markup that follows is emitted as live HTML.\n\nAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:37:51.902Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-v664-pmxr-mxxx"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53427.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53427"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) when rendering untrusted Markdown, which prevents the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute from reaching the highlighter. Alternatively, restrict \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e values to a safe character set (for example \u003ctt\u003e[A-Za-z0-9_- ]\u003c/tt\u003e) before rendering.\u003c/p\u003e"
}
],
"value": "Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53427",
"datePublished": "2026-06-29T18:50:17.185Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:37:51.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54888 (GCVE-0-2026-54888)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:10 – Updated: 2026-06-30 04:37
VLAI
Title
Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex
Summary
Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.
mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.
Because the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.
The vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54888.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54888 | related |
| https://github.com/leandrocp/mdex_native/commit/9… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.3.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
d0bc7d55177727c61d188ef465178ab3b81f4f2c , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 947696c47bc22bea5dffc0f78c946fa6b70ce183
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54888",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:47:22.348133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:47:50.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"comrak_nif",
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.Native\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs",
"lib/mdex.ex",
"lib/mdex/native.ex"
],
"programRoutines": [
{
"name": "comrak_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "comrak_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.3.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"comrak_nif",
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.Native\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs",
"lib/mdex.ex",
"lib/mdex/native.ex"
],
"programRoutines": [
{
"name": "comrak_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "comrak_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "d0bc7d55177727c61d188ef465178ab3b81f4f2c",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mdex_native_nif",
"\u0027Elixir.MDExNative.Native\u0027"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs",
"lib/mdex_native/native.ex"
],
"programRoutines": [
{
"name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mdex_native_nif",
"\u0027Elixir.MDExNative.Native\u0027"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs",
"lib/mdex_native/native.ex"
],
"programRoutines": [
{
"name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "947696c47bc22bea5dffc0f78c946fa6b70ce183",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\u003c/p\u003e\u003cp\u003emdex converts between an Elixir \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, \u003ctt\u003eex_document_to_comrak_ast\u003c/tt\u003e and \u003ctt\u003ecomrak_ast_to_ex_document\u003c/tt\u003e, in the NIF source file \u003ctt\u003edocument.rs\u003c/tt\u003e. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through \u003ctt\u003eMDEx.parse_document!/1\u003c/tt\u003e or \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\u003c/p\u003e\u003cp\u003eBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\n\nmdex converts between an Elixir %MDEx.Document{} struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\n\nBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\n\nThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:37:59.369Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54888.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54888"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/947696c47bc22bea5dffc0f78c946fa6b70ce183"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54888",
"datePublished": "2026-06-29T19:10:38.151Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-30T04:37:59.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53429 (GCVE-0-2026-53429)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:07 – Updated: 2026-06-30 04:38
VLAI
Title
Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service
Summary
Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.
The native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From<ExEscapedTag> for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.
Both the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.
Any application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53429.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53429 | related |
| https://github.com/leandrocp/mdex_native/commit/c… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
81e4d14dd3aa5b206e395c7f372b9b413793015f , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < cbd927fb5061b488de8d90a8ef6df65718ca1fe6
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53429",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:45:00.827777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:45:38.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "comrak_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "comrak_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "81e4d14dd3aa5b206e395c7f372b9b413793015f",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "cbd927fb5061b488de8d90a8ef6df65718ca1fe6",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\u003cp\u003eThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each \u003ctt\u003e%MDEx.EscapedTag{}\u003c/tt\u003e node into its native representation (\u003ctt\u003eFrom\u0026lt;ExEscapedTag\u0026gt; for NodeValue\u003c/tt\u003e in the Rust NIF) calls \u003ctt\u003eBox::leak\u003c/tt\u003e on the caller-supplied \u003ctt\u003eliteral\u003c/tt\u003e string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\u003c/p\u003e\u003cp\u003eBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks \u003ctt\u003eliteral_size \u0026times; node_count\u003c/tt\u003e bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e entry point and any other API that renders a supplied \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eAny application that uses \u003ctt\u003emdex\u003c/tt\u003e (or \u003ctt\u003emdex_native\u003c/tt\u003e directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/types/document.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/types/document.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\n\nThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From\u003cExEscapedTag\u003e for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\n\nBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.\n\nAny application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:14.140Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53429.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53429"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/cbd927fb5061b488de8d90a8ef6df65718ca1fe6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53429",
"datePublished": "2026-06-29T19:07:16.954Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:14.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53428 (GCVE-0-2026-53428)
Vulnerability from cvelistv5 – Published: 2026-06-29 18:52 – Updated: 2026-06-30 04:38
VLAI
Title
Unbounded memory allocation in highlight_lines range expansion in mdex
Summary
Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.
comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range.
A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53428.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53428 | related |
| https://github.com/leandrocp/mdex_native/commit/7… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
a8407611715d1ead35fbcba79c72cef1b7df387b , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:17:11.005816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:17:25.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "a8407611715d1ead35fbcba79c72cef1b7df387b",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eExploitation requires the application to enable code-block decorators. Decorators are active only when the render options \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e are both set and an inline syntax-highlight formatter (for example \u003ctt\u003e{:html_inline, ...}\u003c/tt\u003e) is configured. Applications that render Markdown with the default options do not parse \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications and are not affected.\u003c/p\u003e"
}
],
"value": "Exploitation requires the application to enable code-block decorators. Decorators are active only when the render options github_pre_lang and full_info_string are both set and an inline syntax-highlight formatter (for example {:html_inline, ...}) is configured. Applications that render Markdown with the default options do not parse highlight_lines specifications and are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\u003cp\u003e\u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s \u003ctt\u003ehighlight_lines\u003c/tt\u003e decorator into a \u003ctt\u003eVec\u0026lt;usize\u0026gt;\u003c/tt\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with \u003ctt\u003eMDEx.to_html/2\u003c/tt\u003e (for example a comment, chat message, or wiki page) can embed a code block whose info string is \u003ctt\u003erust highlight_lines=\"1-100000000\"\u003c/tt\u003e, forcing the native adapter to allocate roughly 8 bytes per line in the range.\u003c/p\u003e\u003cp\u003eA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example \u003ctt\u003e1-2000000000\u003c/tt\u003e) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\n\ncomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s highlight_lines decorator into a Vec\u003cusize\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines=\"1-100000000\", forcing the native adapter to allocate roughly 8 bytes per line in the range.\n\nA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789 Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:36.755Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-j93q-9cvj-rxfm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53428.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53428"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded memory allocation in highlight_lines range expansion in mdex",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable code-block decorators: leave the \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e render options unset, or avoid configuring an inline syntax-highlight formatter, so that \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications are never parsed.\u003c/p\u003e"
}
],
"value": "Do not enable code-block decorators: leave the github_pre_lang and full_info_string render options unset, or avoid configuring an inline syntax-highlight formatter, so that highlight_lines specifications are never parsed."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53428",
"datePublished": "2026-06-29T18:52:36.199Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:36.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53427 (GCVE-0-2026-53427)
Vulnerability from cvelistv5 – Published: 2026-06-29 18:50 – Updated: 2026-06-30 04:37
VLAI
Title
Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.
When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.
An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53427.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53427 | related |
| https://github.com/leandrocp/mdex_native/commit/7… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.3 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
0d7ffc84ea742e1daf666426814e5bb6d0499433 , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:18:13.166991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:19:28.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "0d7ffc84ea742e1daf666426814e5bb6d0499433",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example \u003ctt\u003esyntax_highlight: [formatter: {:html_inline, ...}]\u003c/tt\u003e or \u003ctt\u003e{:html_linked, ...}\u003c/tt\u003e) and with full info-string forwarding enabled (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e). Full info-string forwarding is required for comrak to hand the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.\u003c/p\u003e"
}
],
"value": "The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax_highlight: [formatter: {:html_inline, ...}] or {:html_linked, ...}) and with full info-string forwarding enabled (render: [full_info_string: true]). Full info-string forwarding is required for comrak to hand the highlight_lines_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\u003c/p\u003e\u003cp\u003eWhen syntax highlighting and full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) are enabled, the Lumis adapter copies the value of a code fence\u0027s \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e info-string attribute, unescaped, into the \u003ctt\u003eclass\u003c/tt\u003e attribute of every rendered line. \u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e shlex-parses the info string and stores each \u003ctt\u003ekey=value\u003c/tt\u003e pair verbatim, \u003ctt\u003ehighlight_lines_config\u003c/tt\u003e pulls \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e into the per-line class value, and \u003ctt\u003ewrite_highlighted\u003c/tt\u003e interpolates that value directly into the \u003ctt\u003eclass\u003c/tt\u003e attribute of the per-line \u003ctt\u003e\u0026lt;div\u0026gt;\u003c/tt\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u003ctt\u003e\u0027\u0026quot;\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\u0027\u003c/tt\u003e terminates the \u003ctt\u003eclass\u003c/tt\u003e attribute early and the markup that follows is emitted as live HTML.\u003c/p\u003e\u003cp\u003eAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\n\nWhen syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence\u0027s highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line \u003cdiv\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u0027\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u0027 terminates the class attribute early and the markup that follows is emitted as live HTML.\n\nAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:37:51.902Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-v664-pmxr-mxxx"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53427.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53427"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) when rendering untrusted Markdown, which prevents the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute from reaching the highlighter. Alternatively, restrict \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e values to a safe character set (for example \u003ctt\u003e[A-Za-z0-9_- ]\u003c/tt\u003e) before rendering.\u003c/p\u003e"
}
],
"value": "Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53427",
"datePublished": "2026-06-29T18:50:17.185Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:37:51.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}