Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities by leandrocp
CVE-2026-54889 (GCVE-0-2026-54889)
Vulnerability from nvd – Published: 2026-06-29 19:10 – Updated: 2026-06-30 04:38
VLAI
Title
Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)
Summary
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.
'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization.
An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers.
This issue affects mdex: from 0.8.3 before 0.13.2.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54889.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54889 | related |
| https://github.com/leandrocp/mdex/commit/2817147f… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54889",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:48:34.044130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:48:52.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-4383-7xfp-gpph"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.DeltaConverter\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex",
"lib/mdex/delta_converter.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:to_delta/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:convert/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.13.2",
"status": "affected",
"version": "0.8.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.DeltaConverter\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex",
"lib/mdex/delta_converter.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:to_delta/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:convert/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "2817147f5b87ce7186aa604c9ee72499485b8f2f",
"status": "affected",
"version": "9852db2456fdc9d856eb636603a7f608e22e3793",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must pass untrusted Markdown to \u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e and then render the resulting Quill Delta to HTML with a renderer that maps the \u003ctt\u003e\"link\"\u003c/tt\u003e and \u003ctt\u003e\"image\"\u003c/tt\u003e attributes to \u003ctt\u003ehref\u003c/tt\u003e and \u003ctt\u003esrc\u003c/tt\u003e without applying its own URL scheme sanitization (for example \u003ctt\u003equill-delta-to-html\u003c/tt\u003e or the Quill client).\u003c/p\u003e"
}
],
"value": "The application must pass untrusted Markdown to \u0027Elixir.MDEx\u0027:to_delta/2 and then render the resulting Quill Delta to HTML with a renderer that maps the \"link\" and \"image\" attributes to href and src without applying its own URL scheme sanitization (for example quill-delta-to-html or the Quill client)."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.13.2",
"versionStartIncluding": "0.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.\u003cp\u003e\u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e converts Markdown into a Quill Delta. \u003ctt\u003e\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3\u003c/tt\u003e in \u003ctt\u003elib/mdex/delta_converter.ex\u003c/tt\u003e copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta \u003ctt\u003e\"link\"\u003c/tt\u003e or \u003ctt\u003e\"image\"\u003c/tt\u003e attribute without applying a scheme allowlist or any normalization.\u003c/p\u003e\u003cp\u003eAn attacker who controls the Markdown text can supply a \u003ctt\u003ejavascript:\u003c/tt\u003e URL (for example \u003ctt\u003e[click](javascript:alert(document.cookie))\u003c/tt\u003e) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as \u003ctt\u003equill-delta-to-html\u003c/tt\u003e or the Quill client), the attribute becomes an \u003ctt\u003e\u0026lt;a href\u0026gt;\u003c/tt\u003e or \u003ctt\u003e\u0026lt;img src\u0026gt;\u003c/tt\u003e, and the \u003ctt\u003ejavascript:\u003c/tt\u003e scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because \u003ctt\u003ejavascript:\u003c/tt\u003e in an \u003ctt\u003ehref\u003c/tt\u003e executes on click; the image case is lower impact because \u003ctt\u003ejavascript:\u003c/tt\u003e in \u003ctt\u003e\u0026lt;img src\u0026gt;\u003c/tt\u003e generally does not execute in modern browsers.\u003c/p\u003e\u003cp\u003eThis issue affects mdex: from 0.8.3 before 0.13.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.\n\n\u0027Elixir.MDEx\u0027:to_delta/2 converts Markdown into a Quill Delta. \u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta \"link\" or \"image\" attribute without applying a scheme allowlist or any normalization.\n\nAn attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an \u003ca href\u003e or \u003cimg src\u003e, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in \u003cimg src\u003e generally does not execute in modern browsers.\n\nThis issue affects mdex: from 0.8.3 before 0.13.2."
}
],
"impacts": [
{
"capecId": "CAPEC-244",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-244 XSS Targeting URI Placeholders"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:42.158Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-4383-7xfp-gpph"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54889.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54889"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex/commit/2817147f5b87ce7186aa604c9ee72499485b8f2f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSanitize the Quill Delta produced by \u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e before rendering it: drop or blank any \u003ctt\u003e\"link\"\u003c/tt\u003e or \u003ctt\u003e\"image\"\u003c/tt\u003e value whose URL scheme is not in a safe allowlist (\u003ctt\u003ehttp\u003c/tt\u003e, \u003ctt\u003ehttps\u003c/tt\u003e, \u003ctt\u003emailto\u003c/tt\u003e, \u003ctt\u003etel\u003c/tt\u003e).\u003c/p\u003e"
}
],
"value": "Sanitize the Quill Delta produced by \u0027Elixir.MDEx\u0027:to_delta/2 before rendering it: drop or blank any \"link\" or \"image\" value whose URL scheme is not in a safe allowlist (http, https, mailto, tel)."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54889",
"datePublished": "2026-06-29T19:10:49.841Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-30T04:38:42.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54888 (GCVE-0-2026-54888)
Vulnerability from nvd – Published: 2026-06-29 19:10 – Updated: 2026-06-30 04:37
VLAI
Title
Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex
Summary
Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.
mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.
Because the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.
The vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54888.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54888 | related |
| https://github.com/leandrocp/mdex_native/commit/9… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.3.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
d0bc7d55177727c61d188ef465178ab3b81f4f2c , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 947696c47bc22bea5dffc0f78c946fa6b70ce183
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54888",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:47:22.348133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:47:50.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"comrak_nif",
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.Native\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs",
"lib/mdex.ex",
"lib/mdex/native.ex"
],
"programRoutines": [
{
"name": "comrak_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "comrak_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.3.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"comrak_nif",
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.Native\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs",
"lib/mdex.ex",
"lib/mdex/native.ex"
],
"programRoutines": [
{
"name": "comrak_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "comrak_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "d0bc7d55177727c61d188ef465178ab3b81f4f2c",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mdex_native_nif",
"\u0027Elixir.MDExNative.Native\u0027"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs",
"lib/mdex_native/native.ex"
],
"programRoutines": [
{
"name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mdex_native_nif",
"\u0027Elixir.MDExNative.Native\u0027"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs",
"lib/mdex_native/native.ex"
],
"programRoutines": [
{
"name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "947696c47bc22bea5dffc0f78c946fa6b70ce183",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\u003c/p\u003e\u003cp\u003emdex converts between an Elixir \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, \u003ctt\u003eex_document_to_comrak_ast\u003c/tt\u003e and \u003ctt\u003ecomrak_ast_to_ex_document\u003c/tt\u003e, in the NIF source file \u003ctt\u003edocument.rs\u003c/tt\u003e. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through \u003ctt\u003eMDEx.parse_document!/1\u003c/tt\u003e or \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\u003c/p\u003e\u003cp\u003eBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\n\nmdex converts between an Elixir %MDEx.Document{} struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\n\nBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\n\nThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:37:59.369Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54888.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54888"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/947696c47bc22bea5dffc0f78c946fa6b70ce183"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54888",
"datePublished": "2026-06-29T19:10:38.151Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-30T04:37:59.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53429 (GCVE-0-2026-53429)
Vulnerability from nvd – Published: 2026-06-29 19:07 – Updated: 2026-06-30 04:38
VLAI
Title
Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service
Summary
Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.
The native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From<ExEscapedTag> for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.
Both the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.
Any application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53429.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53429 | related |
| https://github.com/leandrocp/mdex_native/commit/c… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
81e4d14dd3aa5b206e395c7f372b9b413793015f , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < cbd927fb5061b488de8d90a8ef6df65718ca1fe6
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53429",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:45:00.827777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:45:38.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "comrak_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "comrak_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "81e4d14dd3aa5b206e395c7f372b9b413793015f",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "cbd927fb5061b488de8d90a8ef6df65718ca1fe6",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\u003cp\u003eThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each \u003ctt\u003e%MDEx.EscapedTag{}\u003c/tt\u003e node into its native representation (\u003ctt\u003eFrom\u0026lt;ExEscapedTag\u0026gt; for NodeValue\u003c/tt\u003e in the Rust NIF) calls \u003ctt\u003eBox::leak\u003c/tt\u003e on the caller-supplied \u003ctt\u003eliteral\u003c/tt\u003e string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\u003c/p\u003e\u003cp\u003eBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks \u003ctt\u003eliteral_size \u0026times; node_count\u003c/tt\u003e bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e entry point and any other API that renders a supplied \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eAny application that uses \u003ctt\u003emdex\u003c/tt\u003e (or \u003ctt\u003emdex_native\u003c/tt\u003e directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/types/document.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/types/document.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\n\nThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From\u003cExEscapedTag\u003e for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\n\nBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.\n\nAny application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:14.140Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53429.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53429"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/cbd927fb5061b488de8d90a8ef6df65718ca1fe6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53429",
"datePublished": "2026-06-29T19:07:16.954Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:14.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53426 (GCVE-0-2026-53426)
Vulnerability from nvd – Published: 2026-06-29 19:11 – Updated: 2026-06-30 04:38
VLAI
Title
Atom-table exhaustion denial-of-service via JSON parse_document in MDEx
Summary
Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.
MDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node.
A single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service.
This issue affects mdex from 0.4.3 before 0.13.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53426.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53426 | related |
| https://github.com/leandrocp/mdex/commit/00fddf44… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:49:38.921685Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:49:48.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:json_to_node/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.13.2",
"status": "affected",
"version": "0.4.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:json_to_node/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "00fddf444220a1f1cc0af0a1cab6738804878387",
"status": "affected",
"version": "cbb59a3f792dbc343873adec3466f49c853dc309",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.13.2",
"versionStartIncluding": "0.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eMDEx.parse_document/2\u003c/tt\u003e accepts a \u003ctt\u003e{:json, json}\u003c/tt\u003e source. In \u003ctt\u003elib/mdex.ex\u003c/tt\u003e, the private \u003ctt\u003ejson_to_node/1\u003c/tt\u003e function passes the attacker-controlled \u003ctt\u003enode_type\u003c/tt\u003e value to \u003ctt\u003eModule.concat/1\u003c/tt\u003e, which calls \u003ctt\u003eString.to_atom/1\u003c/tt\u003e and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique \u003ctt\u003enode_type\u003c/tt\u003e at each (deeply nested) node mints one permanent atom per node.\u003c/p\u003e\u003cp\u003eA single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the \u003ctt\u003e{:json, ...}\u003c/tt\u003e source of \u003ctt\u003eMDEx.parse_document\u003c/tt\u003e is exposed to an unauthenticated denial-of-service.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.4.3 before 0.13.2.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.\n\nMDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node.\n\nA single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service.\n\nThis issue affects mdex from 0.4.3 before 0.13.2."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:27.190Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-923r-7vf4-5vw8"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53426.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53426"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex/commit/00fddf444220a1f1cc0af0a1cab6738804878387"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom-table exhaustion denial-of-service via JSON parse_document in MDEx",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not pass untrusted or attacker-controlled input to the \u003ctt\u003e{:json, ...}\u003c/tt\u003e source of \u003ctt\u003eMDEx.parse_document/2\u003c/tt\u003e. The \u003ctt\u003e{:markdown, ...}\u003c/tt\u003e source is not affected.\u003c/p\u003e"
}
],
"value": "Do not pass untrusted or attacker-controlled input to the {:json, ...} source of MDEx.parse_document/2. The {:markdown, ...} source is not affected."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53426",
"datePublished": "2026-06-29T19:11:32.605Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:27.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53428 (GCVE-0-2026-53428)
Vulnerability from nvd – Published: 2026-06-29 18:52 – Updated: 2026-06-30 04:38
VLAI
Title
Unbounded memory allocation in highlight_lines range expansion in mdex
Summary
Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.
comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range.
A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53428.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53428 | related |
| https://github.com/leandrocp/mdex_native/commit/7… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
a8407611715d1ead35fbcba79c72cef1b7df387b , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:17:11.005816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:17:25.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "a8407611715d1ead35fbcba79c72cef1b7df387b",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eExploitation requires the application to enable code-block decorators. Decorators are active only when the render options \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e are both set and an inline syntax-highlight formatter (for example \u003ctt\u003e{:html_inline, ...}\u003c/tt\u003e) is configured. Applications that render Markdown with the default options do not parse \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications and are not affected.\u003c/p\u003e"
}
],
"value": "Exploitation requires the application to enable code-block decorators. Decorators are active only when the render options github_pre_lang and full_info_string are both set and an inline syntax-highlight formatter (for example {:html_inline, ...}) is configured. Applications that render Markdown with the default options do not parse highlight_lines specifications and are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\u003cp\u003e\u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s \u003ctt\u003ehighlight_lines\u003c/tt\u003e decorator into a \u003ctt\u003eVec\u0026lt;usize\u0026gt;\u003c/tt\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with \u003ctt\u003eMDEx.to_html/2\u003c/tt\u003e (for example a comment, chat message, or wiki page) can embed a code block whose info string is \u003ctt\u003erust highlight_lines=\"1-100000000\"\u003c/tt\u003e, forcing the native adapter to allocate roughly 8 bytes per line in the range.\u003c/p\u003e\u003cp\u003eA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example \u003ctt\u003e1-2000000000\u003c/tt\u003e) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\n\ncomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s highlight_lines decorator into a Vec\u003cusize\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines=\"1-100000000\", forcing the native adapter to allocate roughly 8 bytes per line in the range.\n\nA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789 Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:36.755Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-j93q-9cvj-rxfm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53428.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53428"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded memory allocation in highlight_lines range expansion in mdex",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable code-block decorators: leave the \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e render options unset, or avoid configuring an inline syntax-highlight formatter, so that \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications are never parsed.\u003c/p\u003e"
}
],
"value": "Do not enable code-block decorators: leave the github_pre_lang and full_info_string render options unset, or avoid configuring an inline syntax-highlight formatter, so that highlight_lines specifications are never parsed."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53428",
"datePublished": "2026-06-29T18:52:36.199Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:36.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53427 (GCVE-0-2026-53427)
Vulnerability from nvd – Published: 2026-06-29 18:50 – Updated: 2026-06-30 04:37
VLAI
Title
Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.
When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.
An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53427.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53427 | related |
| https://github.com/leandrocp/mdex_native/commit/7… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.3 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
0d7ffc84ea742e1daf666426814e5bb6d0499433 , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:18:13.166991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:19:28.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "0d7ffc84ea742e1daf666426814e5bb6d0499433",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example \u003ctt\u003esyntax_highlight: [formatter: {:html_inline, ...}]\u003c/tt\u003e or \u003ctt\u003e{:html_linked, ...}\u003c/tt\u003e) and with full info-string forwarding enabled (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e). Full info-string forwarding is required for comrak to hand the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.\u003c/p\u003e"
}
],
"value": "The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax_highlight: [formatter: {:html_inline, ...}] or {:html_linked, ...}) and with full info-string forwarding enabled (render: [full_info_string: true]). Full info-string forwarding is required for comrak to hand the highlight_lines_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\u003c/p\u003e\u003cp\u003eWhen syntax highlighting and full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) are enabled, the Lumis adapter copies the value of a code fence\u0027s \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e info-string attribute, unescaped, into the \u003ctt\u003eclass\u003c/tt\u003e attribute of every rendered line. \u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e shlex-parses the info string and stores each \u003ctt\u003ekey=value\u003c/tt\u003e pair verbatim, \u003ctt\u003ehighlight_lines_config\u003c/tt\u003e pulls \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e into the per-line class value, and \u003ctt\u003ewrite_highlighted\u003c/tt\u003e interpolates that value directly into the \u003ctt\u003eclass\u003c/tt\u003e attribute of the per-line \u003ctt\u003e\u0026lt;div\u0026gt;\u003c/tt\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u003ctt\u003e\u0027\u0026quot;\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\u0027\u003c/tt\u003e terminates the \u003ctt\u003eclass\u003c/tt\u003e attribute early and the markup that follows is emitted as live HTML.\u003c/p\u003e\u003cp\u003eAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\n\nWhen syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence\u0027s highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line \u003cdiv\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u0027\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u0027 terminates the class attribute early and the markup that follows is emitted as live HTML.\n\nAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:37:51.902Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-v664-pmxr-mxxx"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53427.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53427"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) when rendering untrusted Markdown, which prevents the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute from reaching the highlighter. Alternatively, restrict \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e values to a safe character set (for example \u003ctt\u003e[A-Za-z0-9_- ]\u003c/tt\u003e) before rendering.\u003c/p\u003e"
}
],
"value": "Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53427",
"datePublished": "2026-06-29T18:50:17.185Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:37:51.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53426 (GCVE-0-2026-53426)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:11 – Updated: 2026-06-30 04:38
VLAI
Title
Atom-table exhaustion denial-of-service via JSON parse_document in MDEx
Summary
Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.
MDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node.
A single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service.
This issue affects mdex from 0.4.3 before 0.13.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53426.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53426 | related |
| https://github.com/leandrocp/mdex/commit/00fddf44… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:49:38.921685Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:49:48.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:json_to_node/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.13.2",
"status": "affected",
"version": "0.4.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:json_to_node/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "00fddf444220a1f1cc0af0a1cab6738804878387",
"status": "affected",
"version": "cbb59a3f792dbc343873adec3466f49c853dc309",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.13.2",
"versionStartIncluding": "0.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eMDEx.parse_document/2\u003c/tt\u003e accepts a \u003ctt\u003e{:json, json}\u003c/tt\u003e source. In \u003ctt\u003elib/mdex.ex\u003c/tt\u003e, the private \u003ctt\u003ejson_to_node/1\u003c/tt\u003e function passes the attacker-controlled \u003ctt\u003enode_type\u003c/tt\u003e value to \u003ctt\u003eModule.concat/1\u003c/tt\u003e, which calls \u003ctt\u003eString.to_atom/1\u003c/tt\u003e and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique \u003ctt\u003enode_type\u003c/tt\u003e at each (deeply nested) node mints one permanent atom per node.\u003c/p\u003e\u003cp\u003eA single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the \u003ctt\u003e{:json, ...}\u003c/tt\u003e source of \u003ctt\u003eMDEx.parse_document\u003c/tt\u003e is exposed to an unauthenticated denial-of-service.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.4.3 before 0.13.2.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.\n\nMDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node.\n\nA single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service.\n\nThis issue affects mdex from 0.4.3 before 0.13.2."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:27.190Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-923r-7vf4-5vw8"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53426.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53426"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex/commit/00fddf444220a1f1cc0af0a1cab6738804878387"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom-table exhaustion denial-of-service via JSON parse_document in MDEx",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not pass untrusted or attacker-controlled input to the \u003ctt\u003e{:json, ...}\u003c/tt\u003e source of \u003ctt\u003eMDEx.parse_document/2\u003c/tt\u003e. The \u003ctt\u003e{:markdown, ...}\u003c/tt\u003e source is not affected.\u003c/p\u003e"
}
],
"value": "Do not pass untrusted or attacker-controlled input to the {:json, ...} source of MDEx.parse_document/2. The {:markdown, ...} source is not affected."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53426",
"datePublished": "2026-06-29T19:11:32.605Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:27.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54889 (GCVE-0-2026-54889)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:10 – Updated: 2026-06-30 04:38
VLAI
Title
Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)
Summary
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.
'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization.
An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers.
This issue affects mdex: from 0.8.3 before 0.13.2.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54889.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54889 | related |
| https://github.com/leandrocp/mdex/commit/2817147f… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54889",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:48:34.044130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:48:52.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-4383-7xfp-gpph"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.DeltaConverter\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex",
"lib/mdex/delta_converter.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:to_delta/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:convert/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.13.2",
"status": "affected",
"version": "0.8.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.DeltaConverter\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex",
"lib/mdex/delta_converter.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:to_delta/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:convert/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "2817147f5b87ce7186aa604c9ee72499485b8f2f",
"status": "affected",
"version": "9852db2456fdc9d856eb636603a7f608e22e3793",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must pass untrusted Markdown to \u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e and then render the resulting Quill Delta to HTML with a renderer that maps the \u003ctt\u003e\"link\"\u003c/tt\u003e and \u003ctt\u003e\"image\"\u003c/tt\u003e attributes to \u003ctt\u003ehref\u003c/tt\u003e and \u003ctt\u003esrc\u003c/tt\u003e without applying its own URL scheme sanitization (for example \u003ctt\u003equill-delta-to-html\u003c/tt\u003e or the Quill client).\u003c/p\u003e"
}
],
"value": "The application must pass untrusted Markdown to \u0027Elixir.MDEx\u0027:to_delta/2 and then render the resulting Quill Delta to HTML with a renderer that maps the \"link\" and \"image\" attributes to href and src without applying its own URL scheme sanitization (for example quill-delta-to-html or the Quill client)."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.13.2",
"versionStartIncluding": "0.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.\u003cp\u003e\u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e converts Markdown into a Quill Delta. \u003ctt\u003e\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3\u003c/tt\u003e in \u003ctt\u003elib/mdex/delta_converter.ex\u003c/tt\u003e copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta \u003ctt\u003e\"link\"\u003c/tt\u003e or \u003ctt\u003e\"image\"\u003c/tt\u003e attribute without applying a scheme allowlist or any normalization.\u003c/p\u003e\u003cp\u003eAn attacker who controls the Markdown text can supply a \u003ctt\u003ejavascript:\u003c/tt\u003e URL (for example \u003ctt\u003e[click](javascript:alert(document.cookie))\u003c/tt\u003e) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as \u003ctt\u003equill-delta-to-html\u003c/tt\u003e or the Quill client), the attribute becomes an \u003ctt\u003e\u0026lt;a href\u0026gt;\u003c/tt\u003e or \u003ctt\u003e\u0026lt;img src\u0026gt;\u003c/tt\u003e, and the \u003ctt\u003ejavascript:\u003c/tt\u003e scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because \u003ctt\u003ejavascript:\u003c/tt\u003e in an \u003ctt\u003ehref\u003c/tt\u003e executes on click; the image case is lower impact because \u003ctt\u003ejavascript:\u003c/tt\u003e in \u003ctt\u003e\u0026lt;img src\u0026gt;\u003c/tt\u003e generally does not execute in modern browsers.\u003c/p\u003e\u003cp\u003eThis issue affects mdex: from 0.8.3 before 0.13.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.\n\n\u0027Elixir.MDEx\u0027:to_delta/2 converts Markdown into a Quill Delta. \u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta \"link\" or \"image\" attribute without applying a scheme allowlist or any normalization.\n\nAn attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an \u003ca href\u003e or \u003cimg src\u003e, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in \u003cimg src\u003e generally does not execute in modern browsers.\n\nThis issue affects mdex: from 0.8.3 before 0.13.2."
}
],
"impacts": [
{
"capecId": "CAPEC-244",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-244 XSS Targeting URI Placeholders"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:42.158Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-4383-7xfp-gpph"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54889.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54889"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex/commit/2817147f5b87ce7186aa604c9ee72499485b8f2f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSanitize the Quill Delta produced by \u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e before rendering it: drop or blank any \u003ctt\u003e\"link\"\u003c/tt\u003e or \u003ctt\u003e\"image\"\u003c/tt\u003e value whose URL scheme is not in a safe allowlist (\u003ctt\u003ehttp\u003c/tt\u003e, \u003ctt\u003ehttps\u003c/tt\u003e, \u003ctt\u003emailto\u003c/tt\u003e, \u003ctt\u003etel\u003c/tt\u003e).\u003c/p\u003e"
}
],
"value": "Sanitize the Quill Delta produced by \u0027Elixir.MDEx\u0027:to_delta/2 before rendering it: drop or blank any \"link\" or \"image\" value whose URL scheme is not in a safe allowlist (http, https, mailto, tel)."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54889",
"datePublished": "2026-06-29T19:10:49.841Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-30T04:38:42.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54888 (GCVE-0-2026-54888)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:10 – Updated: 2026-06-30 04:37
VLAI
Title
Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex
Summary
Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.
mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.
Because the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.
The vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54888.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54888 | related |
| https://github.com/leandrocp/mdex_native/commit/9… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.3.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
d0bc7d55177727c61d188ef465178ab3b81f4f2c , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 947696c47bc22bea5dffc0f78c946fa6b70ce183
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54888",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:47:22.348133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:47:50.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"comrak_nif",
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.Native\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs",
"lib/mdex.ex",
"lib/mdex/native.ex"
],
"programRoutines": [
{
"name": "comrak_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "comrak_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.3.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"comrak_nif",
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.Native\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs",
"lib/mdex.ex",
"lib/mdex/native.ex"
],
"programRoutines": [
{
"name": "comrak_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "comrak_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "d0bc7d55177727c61d188ef465178ab3b81f4f2c",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mdex_native_nif",
"\u0027Elixir.MDExNative.Native\u0027"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs",
"lib/mdex_native/native.ex"
],
"programRoutines": [
{
"name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mdex_native_nif",
"\u0027Elixir.MDExNative.Native\u0027"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs",
"lib/mdex_native/native.ex"
],
"programRoutines": [
{
"name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "947696c47bc22bea5dffc0f78c946fa6b70ce183",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\u003c/p\u003e\u003cp\u003emdex converts between an Elixir \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, \u003ctt\u003eex_document_to_comrak_ast\u003c/tt\u003e and \u003ctt\u003ecomrak_ast_to_ex_document\u003c/tt\u003e, in the NIF source file \u003ctt\u003edocument.rs\u003c/tt\u003e. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through \u003ctt\u003eMDEx.parse_document!/1\u003c/tt\u003e or \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\u003c/p\u003e\u003cp\u003eBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\n\nmdex converts between an Elixir %MDEx.Document{} struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\n\nBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\n\nThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:37:59.369Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54888.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54888"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/947696c47bc22bea5dffc0f78c946fa6b70ce183"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54888",
"datePublished": "2026-06-29T19:10:38.151Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-30T04:37:59.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53429 (GCVE-0-2026-53429)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:07 – Updated: 2026-06-30 04:38
VLAI
Title
Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service
Summary
Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.
The native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From<ExEscapedTag> for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.
Both the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.
Any application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53429.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53429 | related |
| https://github.com/leandrocp/mdex_native/commit/c… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
81e4d14dd3aa5b206e395c7f372b9b413793015f , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < cbd927fb5061b488de8d90a8ef6df65718ca1fe6
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53429",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:45:00.827777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:45:38.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "comrak_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "comrak_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "81e4d14dd3aa5b206e395c7f372b9b413793015f",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "cbd927fb5061b488de8d90a8ef6df65718ca1fe6",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\u003cp\u003eThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each \u003ctt\u003e%MDEx.EscapedTag{}\u003c/tt\u003e node into its native representation (\u003ctt\u003eFrom\u0026lt;ExEscapedTag\u0026gt; for NodeValue\u003c/tt\u003e in the Rust NIF) calls \u003ctt\u003eBox::leak\u003c/tt\u003e on the caller-supplied \u003ctt\u003eliteral\u003c/tt\u003e string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\u003c/p\u003e\u003cp\u003eBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks \u003ctt\u003eliteral_size \u0026times; node_count\u003c/tt\u003e bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e entry point and any other API that renders a supplied \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eAny application that uses \u003ctt\u003emdex\u003c/tt\u003e (or \u003ctt\u003emdex_native\u003c/tt\u003e directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/types/document.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/types/document.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\n\nThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From\u003cExEscapedTag\u003e for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\n\nBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.\n\nAny application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:14.140Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53429.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53429"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/cbd927fb5061b488de8d90a8ef6df65718ca1fe6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53429",
"datePublished": "2026-06-29T19:07:16.954Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:14.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53428 (GCVE-0-2026-53428)
Vulnerability from cvelistv5 – Published: 2026-06-29 18:52 – Updated: 2026-06-30 04:38
VLAI
Title
Unbounded memory allocation in highlight_lines range expansion in mdex
Summary
Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.
comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range.
A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53428.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53428 | related |
| https://github.com/leandrocp/mdex_native/commit/7… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
a8407611715d1ead35fbcba79c72cef1b7df387b , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:17:11.005816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:17:25.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "a8407611715d1ead35fbcba79c72cef1b7df387b",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eExploitation requires the application to enable code-block decorators. Decorators are active only when the render options \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e are both set and an inline syntax-highlight formatter (for example \u003ctt\u003e{:html_inline, ...}\u003c/tt\u003e) is configured. Applications that render Markdown with the default options do not parse \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications and are not affected.\u003c/p\u003e"
}
],
"value": "Exploitation requires the application to enable code-block decorators. Decorators are active only when the render options github_pre_lang and full_info_string are both set and an inline syntax-highlight formatter (for example {:html_inline, ...}) is configured. Applications that render Markdown with the default options do not parse highlight_lines specifications and are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\u003cp\u003e\u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s \u003ctt\u003ehighlight_lines\u003c/tt\u003e decorator into a \u003ctt\u003eVec\u0026lt;usize\u0026gt;\u003c/tt\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with \u003ctt\u003eMDEx.to_html/2\u003c/tt\u003e (for example a comment, chat message, or wiki page) can embed a code block whose info string is \u003ctt\u003erust highlight_lines=\"1-100000000\"\u003c/tt\u003e, forcing the native adapter to allocate roughly 8 bytes per line in the range.\u003c/p\u003e\u003cp\u003eA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example \u003ctt\u003e1-2000000000\u003c/tt\u003e) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\n\ncomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s highlight_lines decorator into a Vec\u003cusize\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines=\"1-100000000\", forcing the native adapter to allocate roughly 8 bytes per line in the range.\n\nA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789 Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:36.755Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-j93q-9cvj-rxfm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53428.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53428"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded memory allocation in highlight_lines range expansion in mdex",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable code-block decorators: leave the \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e render options unset, or avoid configuring an inline syntax-highlight formatter, so that \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications are never parsed.\u003c/p\u003e"
}
],
"value": "Do not enable code-block decorators: leave the github_pre_lang and full_info_string render options unset, or avoid configuring an inline syntax-highlight formatter, so that highlight_lines specifications are never parsed."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53428",
"datePublished": "2026-06-29T18:52:36.199Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:36.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53427 (GCVE-0-2026-53427)
Vulnerability from cvelistv5 – Published: 2026-06-29 18:50 – Updated: 2026-06-30 04:37
VLAI
Title
Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.
When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.
An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53427.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53427 | related |
| https://github.com/leandrocp/mdex_native/commit/7… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.3 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
0d7ffc84ea742e1daf666426814e5bb6d0499433 , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:18:13.166991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:19:28.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "0d7ffc84ea742e1daf666426814e5bb6d0499433",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example \u003ctt\u003esyntax_highlight: [formatter: {:html_inline, ...}]\u003c/tt\u003e or \u003ctt\u003e{:html_linked, ...}\u003c/tt\u003e) and with full info-string forwarding enabled (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e). Full info-string forwarding is required for comrak to hand the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.\u003c/p\u003e"
}
],
"value": "The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax_highlight: [formatter: {:html_inline, ...}] or {:html_linked, ...}) and with full info-string forwarding enabled (render: [full_info_string: true]). Full info-string forwarding is required for comrak to hand the highlight_lines_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\u003c/p\u003e\u003cp\u003eWhen syntax highlighting and full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) are enabled, the Lumis adapter copies the value of a code fence\u0027s \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e info-string attribute, unescaped, into the \u003ctt\u003eclass\u003c/tt\u003e attribute of every rendered line. \u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e shlex-parses the info string and stores each \u003ctt\u003ekey=value\u003c/tt\u003e pair verbatim, \u003ctt\u003ehighlight_lines_config\u003c/tt\u003e pulls \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e into the per-line class value, and \u003ctt\u003ewrite_highlighted\u003c/tt\u003e interpolates that value directly into the \u003ctt\u003eclass\u003c/tt\u003e attribute of the per-line \u003ctt\u003e\u0026lt;div\u0026gt;\u003c/tt\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u003ctt\u003e\u0027\u0026quot;\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\u0027\u003c/tt\u003e terminates the \u003ctt\u003eclass\u003c/tt\u003e attribute early and the markup that follows is emitted as live HTML.\u003c/p\u003e\u003cp\u003eAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\n\nWhen syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence\u0027s highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line \u003cdiv\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u0027\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u0027 terminates the class attribute early and the markup that follows is emitted as live HTML.\n\nAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:37:51.902Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-v664-pmxr-mxxx"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53427.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53427"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) when rendering untrusted Markdown, which prevents the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute from reaching the highlighter. Alternatively, restrict \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e values to a safe character set (for example \u003ctt\u003e[A-Za-z0-9_- ]\u003c/tt\u003e) before rendering.\u003c/p\u003e"
}
],
"value": "Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53427",
"datePublished": "2026-06-29T18:50:17.185Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:37:51.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}