CVE-2026-25962 Overview
CVE-2026-25962 is a Denial of Service vulnerability affecting MarkUs, a web application designed for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs extracts zip files without implementing any size or entry-count limits. This oversight allows both instructors (when uploading assignment configurations) and students (when submitting assignments with extracted contents) to upload maliciously crafted zip files that can exhaust server resources.
Critical Impact
Attackers with low-privilege access can upload specially crafted zip files to cause resource exhaustion and denial of service, potentially disrupting academic operations and grading activities.
Affected Products
- MarkUs versions prior to 2.9.4
- MarkUsProject MarkUs (all unpatched deployments)
- Self-hosted MarkUs instances accepting zip file uploads
Discovery Timeline
- 2026-03-06 - CVE-2026-25962 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-25962
Vulnerability Analysis
This vulnerability falls under CWE-409 (Improper Handling of Highly Compressed Data), commonly associated with zip bomb or decompression bomb attacks. The core issue stems from MarkUs's failure to implement proper safeguards when processing uploaded zip files.
When a user uploads a zip archive, the application extracts its contents without validating the decompressed size or the number of entries within the archive. This design flaw creates a significant attack surface where malicious actors can leverage compression algorithms to create small archives that expand to enormous sizes when extracted.
The vulnerability is exploitable over the network by authenticated users with minimal privileges. Both instructors and students have legitimate upload paths that can be abused, making this vulnerability particularly concerning in educational environments where user trust levels vary.
Root Cause
The root cause is the absence of defensive mechanisms in the zip extraction routine. The application lacks:
- Decompressed size limits to prevent resource exhaustion
- Entry count restrictions to limit the number of files extracted
- Compression ratio checks to detect anomalous archives
- Progressive extraction validation to halt processing of malicious files
Without these controls, the server blindly processes whatever content is contained within the zip file, making it susceptible to resource exhaustion attacks.
Attack Vector
The attack vector is network-based and requires only low-privilege authentication. An attacker can exploit this vulnerability through two primary paths:
Instructor Upload Path: When configuring assignments, instructors can upload zip files containing configuration materials. A malicious instructor or compromised account could upload a zip bomb disguised as assignment materials.
Student Submission Path: Students can submit assignments as zip files and request extraction of contents. This provides a direct attack vector for any enrolled student to disrupt the grading platform.
The attack typically involves creating a zip archive with a high compression ratio—such as nested archives or highly repetitive data that compresses extremely well. When extracted, these files can expand to consume all available disk space or memory, causing the application to become unresponsive or crash.
Detection Methods for CVE-2026-25962
Indicators of Compromise
- Unusual disk space consumption on servers hosting MarkUs
- Server performance degradation or unresponsiveness during file upload operations
- Failed extraction attempts due to resource limits at the OS level
- Log entries showing large file extractions or extraction timeouts
Detection Strategies
- Monitor disk I/O patterns for anomalous write operations during upload processing
- Implement application-level logging for zip extraction operations including file counts and sizes
- Set up alerts for extraction operations that exceed normal size thresholds
- Review upload logs for unusually small zip files that trigger extended processing times
Monitoring Recommendations
- Configure file system monitoring to alert on rapid disk consumption
- Implement request duration monitoring for upload endpoints
- Deploy resource usage alerts for the MarkUs application process
- Establish baseline metrics for typical zip file processing to identify anomalies
How to Mitigate CVE-2026-25962
Immediate Actions Required
- Upgrade MarkUs to version 2.9.4 or later immediately
- Review recent upload activity for any suspicious zip file submissions
- Implement operating system-level disk quotas as a temporary safeguard
- Consider temporarily disabling zip extraction features until patching is complete
Patch Information
The MarkUs development team has addressed this vulnerability in version 2.9.4. The patch implements proper size and entry-count limits for zip file extraction, preventing resource exhaustion attacks.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-x8xv-j7fc-65x5. The patched release is available at the GitHub Release v2.9.4.
Workarounds
- Disable zip file upload functionality until the patch can be applied
- Implement a reverse proxy or WAF rule to limit upload sizes
- Configure server-level resource limits (ulimits) to contain potential damage
- Monitor and manually review zip file uploads before processing
# Example: Set disk quota limits as a temporary mitigation
# Limit the MarkUs application user's disk usage
sudo setquota -u markus_app 5G 6G 0 0 /var/www/markus
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
