mdex is vulnerable to Unbounded memory leak
69
Medium Risk
mdex leaks memory when rendering a document containing escaped-tag nodes. The Rust NIF conversion of each %MDEx.EscapedTag{} into its native representation (From<ExEscapedTag> for NodeValue in document.rs) calls Box::leak on the caller-supplied literal string, surrendering the backing allocation for the entire process lifetime. Both the byte length of each literal and the number of escaped-tag nodes are attacker-controlled, with no size cap or rate limit. Every render through MDEx.to_html/1 or any API that renders a supplied %MDEx.Document{} leaks literal_size × node_count bytes that can never be reclaimed, and repeated renders accumulate without bound.
You are affected if you are using a version that falls within the vulnerable range.
mdex is vulnerable to Unbounded memory leak in versions 0.11.0 - 0.12.2.
Upgrade the mdex library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant