Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector for typical web-app deployment; scope changed because SIGSEGV inside the NIF terminates the entire BEAM VM, killing all co-hosted processes beyond the direct caller.
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.
mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.
Because the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.
The vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.
AnalysisAI
Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The targeted application must use mdex or mdex_native to process Markdown content that is fully or partially attacker-controlled - for example, a blog editor, comment system, documentation renderer, or chat platform where users submit Markdown that is passed to MDEx.parse_document!/1 or MDEx.to_html/1. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CNA-assigned CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N/VA:H) scores 6.9, reflecting high availability impact with no complexity or privilege requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a Phoenix web application or any Elixir service that renders user-supplied Markdown submits an HTTP request containing a document composed of thousands of consecutively nested block quote markers. When the application calls MDEx.to_html/1 or MDEx.parse_document!/1, the NIF's mutually recursive AST conversion exhausts the native C stack, raising a SIGSEGV that the Erlang runtime cannot intercept. … |
| Remediation | Upgrade mdex to version 0.12.3 or later, or mdex_native to version 0.2.3 or later; the upstream fix is available at commit 947696c47bc22bea5dffc0f78c946fa6b70ce183 (https://github.com/leandrocp/mdex_native/commit/947696c47bc22bea5dffc0f78c946fa6b70ce183), with the full advisory at https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated denial-of-service in MDEx, an Elixir/Erlang CommonMark parsing library, lets an attacker crash the entir
Native Rust heap exhaustion in leandrocp mdex and mdex_native allows any attacker who can supply document content to MDE
Unbounded memory allocation in the MDEx Elixir Markdown rendering library allows a remote unauthenticated attacker to ex
Cross-site scripting in MDEx (Elixir Markdown library by leandrocp), versions 0.8.3 through 0.13.1, allows any attacker
Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Ma
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40177