Skip to main content

mdex EUVDEUVD-2026-40177

| CVE-2026-54888 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-06-29 EEF
6.9
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Network vector for typical web-app deployment; scope changed because SIGSEGV inside the NIF terminates the entire BEAM VM, killing all co-hosted processes beyond the direct caller.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 19:51 vuln.today

DescriptionCVE.org

Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.

mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.

Because the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.

The vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.

AnalysisAI

Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted deeply nested Markdown document
Delivery
Application calls MDEx.to_html/1 or MDEx.parse_document!/1
Exploit
NIF invokes mutually recursive Rust AST conversion
Execution
Recursion depth exceeds native C stack limit
Persist
SIGSEGV raised inside NIF boundary
Impact
BEAM VM OS process terminates, killing all node processes

Vulnerability AssessmentAI

Exploitation The targeted application must use mdex or mdex_native to process Markdown content that is fully or partially attacker-controlled - for example, a blog editor, comment system, documentation renderer, or chat platform where users submit Markdown that is passed to MDEx.parse_document!/1 or MDEx.to_html/1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CNA-assigned CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N/VA:H) scores 6.9, reflecting high availability impact with no complexity or privilege requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a Phoenix web application or any Elixir service that renders user-supplied Markdown submits an HTTP request containing a document composed of thousands of consecutively nested block quote markers. When the application calls MDEx.to_html/1 or MDEx.parse_document!/1, the NIF's mutually recursive AST conversion exhausts the native C stack, raising a SIGSEGV that the Erlang runtime cannot intercept. …
Remediation Upgrade mdex to version 0.12.3 or later, or mdex_native to version 0.2.3 or later; the upstream fix is available at commit 947696c47bc22bea5dffc0f78c946fa6b70ce183 (https://github.com/leandrocp/mdex_native/commit/947696c47bc22bea5dffc0f78c946fa6b70ce183), with the full advisory at https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy