CVE-2026-25962
📋 TL;DR
MarkUs web application versions before 2.9.4 lack proper limits when extracting zip files, allowing attackers to cause denial of service through resource exhaustion. Both instructors uploading assignment configurations and students submitting assignments are affected by this vulnerability.
💻 Affected Systems
- MarkUs
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability due to disk space exhaustion or memory depletion from processing malicious zip bombs, potentially affecting all users of the MarkUs instance.
Likely Case
Temporary service degradation or unavailability when processing specially crafted zip files, impacting assignment submissions and grading workflows.
If Mitigated
Minimal impact with proper monitoring and resource limits in place, though still vulnerable to targeted attacks.
🎯 Exploit Status
Exploitation requires authenticated access as either student or instructor. Creating malicious zip bombs is trivial with available tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.4
Vendor Advisory: https://github.com/MarkUsProject/Markus/security/advisories/GHSA-x8xv-j7fc-65x5
Restart Required: Yes
Instructions:
1. Backup your current MarkUs installation and database. 2. Update to version 2.9.4 using git: 'git fetch origin && git checkout v2.9.4'. 3. Run bundle install to update dependencies. 4. Restart the MarkUs application server.
🔧 Temporary Workarounds
Disable zip extraction
allTemporarily disable zip file extraction functionality in MarkUs configuration
Modify config/environments/production.rb to disable zip extraction features
Implement filesystem quotas
linuxSet disk quotas on the extraction directory to limit impact
sudo setquota -u markus 500M 1G 0 0 /
sudo edquota -p markus otheruser
🧯 If You Can't Patch
- Implement monitoring for disk space usage and process resource consumption with immediate alerting
- Restrict zip uploads to trusted users only through additional access controls
🔍 How to Verify
Check if Vulnerable:
Check MarkUs version in application or via 'git describe --tags' in installation directoryCheck Version:
git describe --tags 2>/dev/null || cat VERSION 2>/dev/null || echo 'Check application interface'Verify Fix Applied:
Verify version is 2.9.4 or later and test zip extraction with a large zip file to confirm limits are enforced📡 Detection & Monitoring
Log Indicators:
- Unusually large zip file uploads
- Extended processing times for zip extraction
- Disk space alerts
- Out of memory errors
Network Indicators:
- Large file uploads to assignment submission endpoints
- Repeated zip uploads from single source
SIEM Query:
source="markus.log" AND ("zip" OR "extract") AND size>100000000