PT-2026-54955 · Crates.Io · Lopdf

Published

2026-06-21

·

Updated

2026-06-21

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
lopdf::Document::load mem (and the other load* entry points) parses nested PDF arrays and dictionaries with unbounded recursion. A small crafted PDF whose Catalog contains a deeply nested array (/X [[[ … ]]], on the order of 10,000 levels) exhausts the call stack and aborts the process with SIGABRT.
Because this is a stack-overflow abort rather than a panic!, it cannot be caught with catch unwind: any service that parses untrusted PDF input with lopdf can be crashed by a ~21 KB file, resulting in a denial of service.
Confirmed on lopdf 0.41.0 and earlier; fixed in 0.42.0. Default configuration, no features changed.

Proof of concept

rust
fn main() {
  let bytes = std::fs::read("poc.pdf").unwrap(); // ~10,380-deep nested array in the Catalog
  let  = lopdf::Document::load mem(&bytes);   // stack overflow -> SIGABRT
}
An equivalent PoC is a minimal PDF whose Catalog /X value is "[" * 10380 + "]" * 10380.

Suggested fix

Enforce a maximum object-nesting depth in the parser and return an Err instead of recursing without bound.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

RUSTSEC-2026-0187

Affected Products

Lopdf