mdex_native is vulnerable to Unbounded memory leak
69
Medium Risk
mdex_native leaks memory when rendering a document containing escaped-tag nodes. The Rust NIF conversion of each %MDEx.EscapedTag{} into its native representation (From<ExEscapedTag> for NodeValue in document.rs) calls Box::leak on the caller-supplied literal string, surrendering the backing allocation for the entire process lifetime. Both the byte length of each literal and the number of escaped-tag nodes are attacker-controlled, with no size cap or rate limit. Every render through MDEx.to_html/1 or any API that renders a supplied %MDEx.Document{} leaks literal_size × node_count bytes that can never be reclaimed, and repeated renders accumulate without bound.
You are affected if you are using a version that falls within the vulnerable range.
mdex_native is vulnerable to Unbounded memory leak in versions 0.1.0 - 0.2.2.
Upgrade the mdex_native library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant