PT-2026-55746 · Crates.Io · Fulgur

Published

2026-07-05

·

Updated

2026-07-05

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
fulgur converts untrusted HTML/CSS into PDF, commonly on a server that processes input supplied by many tenants. In versions prior to 0.19.0, a body-direct child whose CSS-resolved height greatly exceeds the page height was sliced into one fragment per page with no upper bound.
The height is taken directly from attacker-controlled HTML/CSS (height, vh units), so a few bytes such as <div style="height:99999999px"></div> forced on the order of 125,000 page fragments. The pagination code then allocates vec![Vec::new(); page count] and runs a per-page render loop, resulting in CPU and memory exhaustion. A non-finite height (one that resolves to +inf) additionally made the slicing loop's remaining -= last slice h decrement never terminate, causing an infinite loop.
An attacker able to submit HTML/CSS to a fulgur-based conversion service can trigger this with a trivially small payload, denying service to the host and any co-tenants.
Fixed in 0.19.0: a MAX PAGES cap bounds the slice loop — halting it even for a +inf height — and non-finite layout heights are sanitized so they can no longer drive the loop.

Attack Vector rationale

fulgur performs no network I/O of its own; it renders HTML/CSS handed to it by the embedding application. This advisory scores the crate independent of any specific adopting program, so per the CVSS v3.1 User Guide §3.7 the Attack Vector is assessed as Network for the reasonable worst-case deployment — a network-facing service that renders untrusted HTML without user interaction. A concrete system that receives the HTML in one component and passes it to fulgur in a separate component may assess a lower environmental Attack Vector (Local, per §3.10).

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

RUSTSEC-2026-0200

Affected Products

Fulgur