Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack is delivered over the network via submitted Markdown; no auth or interaction needed; BEAM crash terminates all co-tenant sessions, constituting a scope change beyond the library component.
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.
comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range.
A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
AnalysisAI
Unbounded memory allocation in the MDEx Elixir Markdown rendering library allows a remote unauthenticated attacker to exhaust host memory and crash the BEAM virtual machine by submitting a single crafted fenced code block with an oversized highlight_lines range. Any application that renders user-supplied Markdown through MDEx.to_html/2 - such as a comment box, chat message, or wiki page - is exposed; a payload differing by only a few bytes can force hundreds of megabytes to gigabytes of allocation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability is triggered when all of the following conditions are met: (1) the application calls MDEx.to_html/2 or an equivalent MDEx rendering function with user-controlled Markdown content; (2) the Markdown contains a fenced code block whose info string includes the `highlight_lines` decorator with a large integer range, e.g., `highlight_lines="1-2000000000"`; and (3) the application does not sanitize or cap the fenced code block info string before passing it to MDEx. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 4.0 score of 6.9 uses AV:L (Local attack vector), which appears to reflect the NIF library's invocation context as a process-local component rather than the realistic end-to-end attack path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker posts a comment on a web forum powered by an Elixir application using MDEx, embedding a fenced code block with the info string `rust highlight_lines="1-2000000000"` - a payload indistinguishable in length from a legitimate code block. When the server renders the page (server-side or on any user request), the MDEx NIF materializes approximately 16 GB of Vec<usize> allocation, exhausting host memory and aborting the BEAM process, taking the entire application offline for all concurrent users. … |
| Remediation | Upgrade mdex to version 0.12.3 or later and mdex_native to version 0.2.3 or later; the upstream fix is available in commit 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3 at https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated denial-of-service in MDEx, an Elixir/Erlang CommonMark parsing library, lets an attacker crash the entir
Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when process
Native Rust heap exhaustion in leandrocp mdex and mdex_native allows any attacker who can supply document content to MDE
Cross-site scripting in MDEx (Elixir Markdown library by leandrocp), versions 0.8.3 through 0.13.1, allows any attacker
Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Ma
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40175