Listen to this Post
MarkUs prior to version 2.9.4 allows course instructors to upload YAML files for configuring entities like assignment settings. The YAML parser has aliases enabled, meaning anchors (&) and aliases () are processed. This can be abused to create malicious YAML with recursive references, leading to denial of service through memory exhaustion (similar to a billion laughs attack). Additionally, if the parser deserializes objects unsafely, an attacker could potentially achieve remote code execution by embedding crafted class references. The vulnerability stems from the YAML library’s default behavior, which was not restricted in the application. Patched version 2.9.4 disables aliases or switches to a safe parser. The issue was reported responsibly and fixed in the mentioned release.
Platform: MarkUs
Version: <2.9.4
Vulnerability: YAML aliases enabled
Severity: High
date: 2026-03-05
Prediction: Patched v2.9.4
What Undercode Say:
Analytics: MarkUs is widely used in academic institutions for assignment grading. The vulnerability affects all installations using versions prior to 2.9.4, potentially hundreds of servers. Given that instructors have upload privileges, the attack surface is moderate. The patch has been available since mid-March 2026, and updates are recommended urgently.
Bash Commands and Codes:
Check current version:
`gem list markus | grep markus`
Test a malicious YAML payload:
&1 a: 1
Upload via curl:
`curl -F “[email protected]” https://target.com/courses/1/assignments/upload_settings`
Version patch verification:
`git tag | grep 2.9.4</h2>
<h2 style="color: blue;">Exploit:</h2>
1. Craft a YAML file with nested aliases (e.g., a recursive structure) to cause memory exhaustion.
2. Upload the file as a course instructor through the configuration upload feature.
3. The server processes the YAML, triggering exponential expansion and consuming resources.
4. For code execution, combine aliases with deserialization gadgets specific to the Ruby environment (e.g.,!ruby/object).
5. Successful exploitation may lead to server crash or remote shell.
<h2 style="color: blue;">Protection from this CVE:</h2>
Upgrade to MarkUs version 2.9.4 or later, which disables YAML aliases by default. If upgrading is not immediately possible, restrict instructor upload permissions or switch to a safe YAML parser likesafe_yaml`. Additionally, monitor server logs for unusual YAML uploads.
Impact:
- Denial of service: Server can become unresponsive due to memory exhaustion.
- Remote code execution: Potential for full system compromise if combined with unsafe deserialization.
- Data integrity: Malicious configuration changes could alter assignment settings.
- Reputation: Academic institutions may face disruptions in grading workflows.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
<h2 style="color: blue;">Exploit:</h2>
1. Craft a YAML file with nested aliases (e.g., a recursive structure) to cause memory exhaustion.
2. Upload the file as a course instructor through the configuration upload feature.
3. The server processes the YAML, triggering exponential expansion and consuming resources.
4. For code execution, combine aliases with deserialization gadgets specific to the Ruby environment (e.g.,
5. Successful exploitation may lead to server crash or remote shell.
<h2 style="color: blue;">Protection from this CVE:</h2>
Upgrade to MarkUs version 2.9.4 or later, which disables YAML aliases by default. If upgrading is not immediately possible, restrict instructor upload permissions or switch to a safe YAML parser like
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

