CVE-2026-25962
Received Received - Intake
Zip Extraction Resource Exhaustion in MarkUs Before

Publication date: 2026-03-06

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip files without any size or entry-count limits. For example, instructors can upload a zip file to provide an assignment configuration; students can upload a zip file for an assignment submission and indicate its contents should be extracted. This issue has been patched in version 2.9.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25962
EUVD
EUVD-2026-9967
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
markusproject markus to 2.9.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25962 is a moderate severity vulnerability in the MarkUs web application, affecting versions up to 2.9.3. The issue arises because MarkUs extracts zip files without any limits on their size or the number of entries. This allows an attacker to upload a specially crafted zip bombβ€”a highly compressed archive that expands massively when extractedβ€”causing excessive consumption of disk space and CPU resources.

This improper handling of highly compressed data leads to resource exhaustion and results in a denial of service (DoS), making the MarkUs service unavailable. The vulnerability requires only low privileges to exploit and no user interaction, with the attack vector being network-based.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. An attacker can cause the MarkUs service to become unavailable by uploading a zip bomb that exhausts system resources such as disk space and CPU.

There is no impact on confidentiality or integrity of data, but the availability of the service is compromised, potentially disrupting assignment submissions and grading processes.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the extraction of highly compressed zip files (zip bombs) that cause resource exhaustion. Detection can focus on monitoring for unusually large CPU or disk usage during zip file extraction processes in MarkUs versions up to 2.9.3.

Since the vulnerability is triggered by zip bomb files uploaded and extracted by the application, you can detect suspicious zip files by checking their compression ratio or number of entries before extraction.

  • Use commands to inspect zip files for unusually high compression ratios or large numbers of entries, for example:
  • 1. To list the contents and count entries: `unzip -l suspicious.zip | wc -l`
  • 2. To check the compressed and uncompressed sizes: `zipinfo -v suspicious.zip`
  • 3. Monitor system resource usage during extraction with commands like `top`, `htop`, or `iotop` to detect spikes.

Additionally, network monitoring tools can be used to detect unusual upload activity of large or suspicious zip files to the MarkUs application.

Mitigation Strategies

The primary mitigation is to upgrade MarkUs to version 2.9.4 or later, where protections against zip bombs have been implemented by imposing extraction limits.

Until the upgrade can be performed, consider the following immediate steps:

  • 1. Restrict or disable zip file uploads temporarily to prevent exploitation.
  • 2. Implement manual or automated scanning of uploaded zip files to detect and block zip bombs based on size, entry count, or compression ratio.
  • 3. Monitor system resources closely for signs of excessive CPU or disk usage related to zip extraction.
  • 4. Apply network-level controls to limit or inspect uploads to the MarkUs application.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart