Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25962

CVE-2026-25962: Markus Path Traversal Vulnerability

CVE-2026-25962 is a path traversal flaw in Markusproject Markus that allows zip file extraction without size or entry-count limits. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-25962 Overview

CVE-2026-25962 is a Denial of Service vulnerability affecting MarkUs, a web application designed for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs extracts zip files without implementing any size or entry-count limits. This oversight allows both instructors (when uploading assignment configurations) and students (when submitting assignments with extracted contents) to upload maliciously crafted zip files that can exhaust server resources.

Critical Impact

Attackers with low-privilege access can upload specially crafted zip files to cause resource exhaustion and denial of service, potentially disrupting academic operations and grading activities.

Affected Products

  • MarkUs versions prior to 2.9.4
  • MarkUsProject MarkUs (all unpatched deployments)
  • Self-hosted MarkUs instances accepting zip file uploads

Discovery Timeline

  • 2026-03-06 - CVE-2026-25962 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-25962

Vulnerability Analysis

This vulnerability falls under CWE-409 (Improper Handling of Highly Compressed Data), commonly associated with zip bomb or decompression bomb attacks. The core issue stems from MarkUs's failure to implement proper safeguards when processing uploaded zip files.

When a user uploads a zip archive, the application extracts its contents without validating the decompressed size or the number of entries within the archive. This design flaw creates a significant attack surface where malicious actors can leverage compression algorithms to create small archives that expand to enormous sizes when extracted.

The vulnerability is exploitable over the network by authenticated users with minimal privileges. Both instructors and students have legitimate upload paths that can be abused, making this vulnerability particularly concerning in educational environments where user trust levels vary.

Root Cause

The root cause is the absence of defensive mechanisms in the zip extraction routine. The application lacks:

  • Decompressed size limits to prevent resource exhaustion
  • Entry count restrictions to limit the number of files extracted
  • Compression ratio checks to detect anomalous archives
  • Progressive extraction validation to halt processing of malicious files

Without these controls, the server blindly processes whatever content is contained within the zip file, making it susceptible to resource exhaustion attacks.

Attack Vector

The attack vector is network-based and requires only low-privilege authentication. An attacker can exploit this vulnerability through two primary paths:

  1. Instructor Upload Path: When configuring assignments, instructors can upload zip files containing configuration materials. A malicious instructor or compromised account could upload a zip bomb disguised as assignment materials.

  2. Student Submission Path: Students can submit assignments as zip files and request extraction of contents. This provides a direct attack vector for any enrolled student to disrupt the grading platform.

The attack typically involves creating a zip archive with a high compression ratio—such as nested archives or highly repetitive data that compresses extremely well. When extracted, these files can expand to consume all available disk space or memory, causing the application to become unresponsive or crash.

Detection Methods for CVE-2026-25962

Indicators of Compromise

  • Unusual disk space consumption on servers hosting MarkUs
  • Server performance degradation or unresponsiveness during file upload operations
  • Failed extraction attempts due to resource limits at the OS level
  • Log entries showing large file extractions or extraction timeouts

Detection Strategies

  • Monitor disk I/O patterns for anomalous write operations during upload processing
  • Implement application-level logging for zip extraction operations including file counts and sizes
  • Set up alerts for extraction operations that exceed normal size thresholds
  • Review upload logs for unusually small zip files that trigger extended processing times

Monitoring Recommendations

  • Configure file system monitoring to alert on rapid disk consumption
  • Implement request duration monitoring for upload endpoints
  • Deploy resource usage alerts for the MarkUs application process
  • Establish baseline metrics for typical zip file processing to identify anomalies

How to Mitigate CVE-2026-25962

Immediate Actions Required

  • Upgrade MarkUs to version 2.9.4 or later immediately
  • Review recent upload activity for any suspicious zip file submissions
  • Implement operating system-level disk quotas as a temporary safeguard
  • Consider temporarily disabling zip extraction features until patching is complete

Patch Information

The MarkUs development team has addressed this vulnerability in version 2.9.4. The patch implements proper size and entry-count limits for zip file extraction, preventing resource exhaustion attacks.

For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-x8xv-j7fc-65x5. The patched release is available at the GitHub Release v2.9.4.

Workarounds

  • Disable zip file upload functionality until the patch can be applied
  • Implement a reverse proxy or WAF rule to limit upload sizes
  • Configure server-level resource limits (ulimits) to contain potential damage
  • Monitor and manually review zip file uploads before processing
bash
# Example: Set disk quota limits as a temporary mitigation
# Limit the MarkUs application user's disk usage
sudo setquota -u markus_app 5G 6G 0 0 /var/www/markus

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.