MarkUs is a web application used for student assignment submission and grading. In versions prior to 2.9.4, it permits course instructors to upload YAML files that are parsed with alias support enabled. An attacker can craft a YAML document that employs the ‘billion laughs’ alias technique to cause the parser to recursively expand aliases, creating an exponentially large data structure that exhausts server memory and CPU resources. The result is a denial of service that can render the web application unresponsive or force it to crash, directly impacting assignment management and potentially delaying grading procedures.

The vulnerability affects all installations of the MarkUsProject:Markus application using a version earlier than 2.9.4. Any deployment that allows instructors to upload configuration YAML files is subject to this issue until the patch is applied in version 2.9.4 or any later release.

The CVSS base score of 4.9 indicates a medium severity. The EPSS score of less than 1% suggests a low likelihood of real‑world exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires authenticated access to the instructor file‑upload endpoint, so the likely attack vector is an authenticated remote attacker who holds instructor privileges. By uploading a malicious YAML file that triggers alias expansion, the attacker would consume server resources and cause a denial of service.