Mdex Native
Monthly
Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. Because the resulting SIGSEGV is raised inside a NIF, the Erlang runtime cannot catch it - the OS process hosting the BEAM terminates, killing every Elixir and Erlang process on the node. No public exploit has been identified at time of analysis, but the attack requires only crafted Markdown input with no authentication.
Native Rust heap exhaustion in leandrocp mdex and mdex_native allows any attacker who can supply document content to MDEx.to_html/1 to crash the BEAM Erlang/Elixir node through unbounded memory accumulation. The Rust NIF permanently leaks memory by calling Box::leak on every escaped-tag literal string during document rendering, with no size cap or rate limit - leakage compounds across repeated renders proportional to literal_size multiplied by node_count, and the BEAM VM can never reclaim native allocations once surrendered this way. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor-released patches are available in mdex 0.12.3 and mdex_native 0.2.3.
Unbounded memory allocation in the MDEx Elixir Markdown rendering library allows a remote unauthenticated attacker to exhaust host memory and crash the BEAM virtual machine by submitting a single crafted fenced code block with an oversized highlight_lines range. Any application that renders user-supplied Markdown through MDEx.to_html/2 - such as a comment box, chat message, or wiki page - is exposed; a payload differing by only a few bytes can force hundreds of megabytes to gigabytes of allocation. No public exploit has been identified at time of analysis, though the attack payload is trivially constructable directly from the public advisory, and patched versions 0.12.3 (mdex) and 0.2.3 (mdex_native) are available.
Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Markdown content to inject arbitrary HTML and JavaScript into rendered output viewed by other users, enabling session theft and account takeover. The flaw exists in the native Rust code shared between the mdex (0.11.3-0.12.2) and mdex_native (0.1.0-0.2.2) packages, where the highlight_lines_class code-fence attribute is interpolated into per-line HTML div class attributes without escaping. Exploitation requires a non-default rendering configuration (full_info_string: true with syntax highlighting enabled); no public exploit identified at time of analysis, and vendor-released patches are available.
Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. Because the resulting SIGSEGV is raised inside a NIF, the Erlang runtime cannot catch it - the OS process hosting the BEAM terminates, killing every Elixir and Erlang process on the node. No public exploit has been identified at time of analysis, but the attack requires only crafted Markdown input with no authentication.
Native Rust heap exhaustion in leandrocp mdex and mdex_native allows any attacker who can supply document content to MDEx.to_html/1 to crash the BEAM Erlang/Elixir node through unbounded memory accumulation. The Rust NIF permanently leaks memory by calling Box::leak on every escaped-tag literal string during document rendering, with no size cap or rate limit - leakage compounds across repeated renders proportional to literal_size multiplied by node_count, and the BEAM VM can never reclaim native allocations once surrendered this way. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor-released patches are available in mdex 0.12.3 and mdex_native 0.2.3.
Unbounded memory allocation in the MDEx Elixir Markdown rendering library allows a remote unauthenticated attacker to exhaust host memory and crash the BEAM virtual machine by submitting a single crafted fenced code block with an oversized highlight_lines range. Any application that renders user-supplied Markdown through MDEx.to_html/2 - such as a comment box, chat message, or wiki page - is exposed; a payload differing by only a few bytes can force hundreds of megabytes to gigabytes of allocation. No public exploit has been identified at time of analysis, though the attack payload is trivially constructable directly from the public advisory, and patched versions 0.12.3 (mdex) and 0.2.3 (mdex_native) are available.
Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Markdown content to inject arbitrary HTML and JavaScript into rendered output viewed by other users, enabling session theft and account takeover. The flaw exists in the native Rust code shared between the mdex (0.11.3-0.12.2) and mdex_native (0.1.0-0.2.2) packages, where the highlight_lines_class code-fence attribute is interpolated into per-line HTML div class attributes without escaping. Exploitation requires a non-default rendering configuration (full_info_string: true with syntax highlighting enabled); no public exploit identified at time of analysis, and vendor-released patches are available.