MarkUs, a web application for student assignment submission and grading, extracts uploaded zip files without imposing size or entry-count limits. An instructor or student can upload a specially crafted zip file (a zip bomb) that expands to a vast number of files or consumes excessive disk space when decompressed, leading to a resource exhaustion attack that can stall the system, deny service to legitimate users, and potentially disrupt grading workflows. The weakness is categorized as CWE-409, reflecting insufficient restriction of file extraction scope.

The vulnerability affects installations of MarkUs prior to version 2.9.4. This includes any instance of the MarkUs project software where assignment configuration uploads or student submissions are processed through the zip extraction module. Affected deployments would be those running older releases of the application, typically found in academic institutions using MarkUs for course management.

The CVSS score of 6.5 indicates a medium severity with potential for significant impact on availability. The EPSS score is below 1%, suggesting exploit attempts are currently rare or undetected, but the vulnerability does not appear in the CISA KEV catalog. Because the malicious zip file can be uploaded through the user interface, the attack vector is likely local or remote (depending on access to the upload functionality). Exploitation requires only the ability to submit or configure an assignment, a capability typical for instructors or students, thereby making the threat relevant to a broad user base.