- Reported
-
- Issued
-
- Package
-
fulgur
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#dos
#pagination
#pdf
- Aliases
-
- References
-
- CVSS Score
- 7.5
HIGH
- CVSS Details
-
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality Impact
- None
- Integrity Impact
- None
- Availability Impact
- High
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Patched
-
Description
fulgur converts untrusted HTML/CSS into PDF, commonly on a server that
processes input supplied by many tenants. In versions prior to 0.26.0, a
childless box that resolves to a pathologically tall height was amplified into
thousands of blank PDF pages, even when it produces no visible output.
The childless-collapse defense that would normally collapse such a box was gated
by a tag-only "replaced content" check, so any non-painting replaced element
bypassed it, including an unresolved src (the common offline-first case), a
visibility:hidden image, an undecodable image format, and an empty <svg>. A
trailing-sibling variant of the same gap was also open.
A few bytes of HTML therefore amplified into roughly MAX_PAGES (10,000) blank
pages; the renderer allocates and runs a per-page loop over them, producing CPU
and memory exhaustion. An attacker able to submit HTML to a fulgur-based
conversion service can trigger this with a trivially small payload, denying
service to the host and any co-tenants.
Fixed in 0.26.0: the tag-only gate was removed so that any pathologically tall
childless box collapses regardless of whether it is a replaced element, closing
the missing-src, visibility:hidden, undecodable-format, and empty-<svg>
vectors along with the trailing-sibling variant.
Versions prior to 0.19.0 additionally lacked any page-count cap, allowing an
unbounded (rather than 10,000-page) variant of this amplification; that earlier
variant is tracked separately as GHSA-j5cx-ph8g-95v3.
Attack Vector rationale
fulgur performs no network I/O of its own; it renders HTML/CSS handed to it by
the embedding application. This advisory scores the crate independent of any
specific adopting program, so per the CVSS v3.1 User Guide §3.7 the Attack
Vector is assessed as Network for the reasonable worst-case deployment — a
network-facing service that renders untrusted HTML without user interaction. A
concrete system that receives the HTML in one component and passes it to fulgur
in a separate component may assess a lower environmental Attack Vector (Local,
per §3.10).
Advisory available under CC0-1.0
license.