PT-2026-55747 · Crates.Io · Fulgur

Published

2026-07-05

·

Updated

2026-07-05

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
fulgur converts untrusted HTML/CSS into PDF, commonly on a server that processes input supplied by many tenants. In versions prior to 0.26.0, a childless box that resolves to a pathologically tall height was amplified into thousands of blank PDF pages, even when it produces no visible output.
The childless-collapse defense that would normally collapse such a box was gated by a tag-only "replaced content" check, so any non-painting replaced element bypassed it, including an unresolved src (the common offline-first case), a visibility:hidden image, an undecodable image format, and an empty <svg>. A trailing-sibling variant of the same gap was also open.
A few bytes of HTML therefore amplified into roughly MAX PAGES (10,000) blank pages; the renderer allocates and runs a per-page loop over them, producing CPU and memory exhaustion. An attacker able to submit HTML to a fulgur-based conversion service can trigger this with a trivially small payload, denying service to the host and any co-tenants.
Fixed in 0.26.0: the tag-only gate was removed so that any pathologically tall childless box collapses regardless of whether it is a replaced element, closing the missing-src, visibility:hidden, undecodable-format, and empty-<svg> vectors along with the trailing-sibling variant.
Versions prior to 0.19.0 additionally lacked any page-count cap, allowing an unbounded (rather than 10,000-page) variant of this amplification; that earlier variant is tracked separately as GHSA-j5cx-ph8g-95v3.

Attack Vector rationale

fulgur performs no network I/O of its own; it renders HTML/CSS handed to it by the embedding application. This advisory scores the crate independent of any specific adopting program, so per the CVSS v3.1 User Guide §3.7 the Attack Vector is assessed as Network for the reasonable worst-case deployment — a network-facing service that renders untrusted HTML without user interaction. A concrete system that receives the HTML in one component and passes it to fulgur in a separate component may assess a lower environmental Attack Vector (Local, per §3.10).

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

RUSTSEC-2026-0201

Affected Products

Fulgur