PT-2026-56304 · Crates.Io · Ratex-Parser

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-53531

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

RaTeX’s recursive-descent parser recurses one (or more) native stack frame per nesting level at {, left, sqrt{, ^{, etc, with no maximum depth limit. A short, ~10 KB input of nested groups overflows the 8 MB main-thread stack and aborts the process. With panic = "abort" (Cargo.toml:48), and because a Rust stack overflow is always a fatal SIGABRT regardless of panic strategy this is an unrecoverable, whole-process denial of service reachable from a single untrusted LaTeX string.

Details

The mutual recursion has no depth guard (crates/ratex-parser/src/parser.rs):
parse expression (:113) -> parse atom (:281/285) -> parse group (:451)
                 ^             |
                 |  on '{' (:459) recurse |
                 +--------------------------+
left adds another recursive edge: handle leftparse expression (crates/ratex-parser/src/functions/left right.rs:47). The only counters present are unrelated to depth: leftright depth (a right-matching counter, parser.rs:24) and the macro expander’s max expand = 1000 (macro expander.rs:64), which does not gate brace / left recursion (those tokens never pass through expand once). There is no recursion limit/depth parameter on parse group, parse expression, or parse atom.

PoC

image
$ python3 -c 'import sys;sys.stdout.write("{"*200000+"x"+"}"*200000)' | ./target/release/parse
thread 'main' has overflowed its stack
fatal runtime error: stack overflow, aborting
Aborted (core dumped)      # exit 134
(Other nesting forms work equally, e.g. left(×N, sqrt{×N, ^{×N.)

Impact

A single small request crashes the whole RaTeX process. In a typical server-side math-rendering service this is a reliable, unauthenticated DoS; on smaller worker-thread stacks (e.g. a 512 KB async runtime thread) only a few hundred bytes of nesting are required.

Fix

Resource Exhaustion

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53531
GHSA-4W5H-HX6R-28Q7

Affected Products

Ratex-Parser