CVE-2026-54888
Received Received - Intake

Uncontrolled Recursion in mdex Allows DoS via Nested Markdown

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: EEF

Description
Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input. mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack. Because the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required. The vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-54888
EUVD
EUVD-2026-40177

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
leandrocp mdex From 0.3.0 (inc) to 0.12.3 (exc)
leandrocp mdex_native From 0.1.0 (inc) to 0.2.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54888 is an uncontrolled recursion vulnerability in the mdex and mdex_native Elixir Markdown libraries that wrap the Rust Comrak parser via a Native Implemented Function (NIF).

The vulnerability arises because two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, do not enforce a maximum nesting depth when converting between an Elixir %MDEx.Document{} struct and Comrak's internal AST.

An attacker can supply a Markdown document with thousands of nested block quotes, causing unbounded recursion across the NIF boundary that exhausts the native C stack and triggers a segmentation fault (SIGSEGV).

This stack overflow is uncatchable and terminates the entire BEAM node, killing all Elixir and Erlang processes on the system, not just the process that triggered the render.

No authentication or special privileges are required to exploit this vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the entire BEAM virtual machine process running Elixir and Erlang applications.

When exploited, the unbounded recursion leads to a native stack overflow and an uncatchable segmentation fault that terminates the operating system process running the BEAM.

As a result, all Elixir and Erlang processes on the node are killed, causing a complete service outage.

The attack requires no authentication or special privileges and can be triggered by submitting deeply nested Markdown input, such as through comments, posts, or profile fields.

Detection Guidance

This vulnerability is triggered by rendering deeply nested Markdown documents, which causes a stack overflow and terminates the BEAM process. Detection involves identifying if your system is running vulnerable versions of the mdex or mdex_native packages and monitoring for crashes or process terminations related to Markdown rendering.

There are no specific commands provided in the available resources to detect the vulnerability directly on your network or system.

Mitigation Strategies

The primary mitigation is to upgrade the affected packages to patched versions where the vulnerability is fixed.

  • Upgrade mdex to version 0.12.3 or later.
  • Upgrade mdex_native to version 0.2.3 or later.

These updates replace the recursive Rust functions with an iterative stack-based approach to safely handle deeply nested Markdown input without causing stack overflows.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54888. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart