rustsec-2026-0187
Vulnerability from osv_rustsec
lopdf::Document::load_mem (and the other load* entry points) parses nested PDF arrays and dictionaries with unbounded recursion. A small crafted PDF whose Catalog contains a deeply nested array (/X [[[ … ]]], on the order of 10,000 levels) exhausts the call stack and aborts the process with SIGABRT.
Because this is a stack-overflow abort rather than a panic!, it cannot be caught with catch_unwind: any service that parses untrusted PDF input with lopdf can be crashed by a ~21 KB file, resulting in a denial of service.
Confirmed on lopdf 0.41.0 and earlier; fixed in 0.42.0. Default configuration, no features changed.
Proof of concept
fn main() {
let bytes = std::fs::read("poc.pdf").unwrap(); // ~10,380-deep nested array in the Catalog
let _ = lopdf::Document::load_mem(&bytes); // stack overflow -> SIGABRT
}
An equivalent PoC is a minimal PDF whose Catalog /X value is "[" * 10380 + "]" * 10380.
Suggested fix
Enforce a maximum object-nesting depth in the parser and return an Err instead of recursing without bound.
{
"affected": [
{
"database_specific": {
"categories": [
"denial-of-service"
],
"cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "lopdf",
"purl": "pkg:cargo/lopdf"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.42.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "`lopdf::Document::load_mem` (and the other `load*` entry points) parses nested PDF arrays and dictionaries with unbounded recursion. A small crafted PDF whose Catalog contains a deeply nested array (`/X [[[ \u2026 ]]]`, on the order of 10,000 levels) exhausts the call stack and aborts the process with `SIGABRT`.\n\nBecause this is a stack-overflow abort rather than a `panic!`, it cannot be caught with `catch_unwind`: any service that parses untrusted PDF input with lopdf can be crashed by a ~21 KB file, resulting in a denial of service.\n\nConfirmed on lopdf 0.41.0 and earlier; fixed in 0.42.0. Default configuration, no features changed.\n\n## Proof of concept\n\n```rust\nfn main() {\n let bytes = std::fs::read(\"poc.pdf\").unwrap(); // ~10,380-deep nested array in the Catalog\n let _ = lopdf::Document::load_mem(\u0026bytes); // stack overflow -\u003e SIGABRT\n}\n```\n\nAn equivalent PoC is a minimal PDF whose Catalog `/X` value is `\"[\" * 10380 + \"]\" * 10380`.\n\n## Suggested fix\n\nEnforce a maximum object-nesting depth in the parser and return an `Err` instead of recursing without bound.",
"id": "RUSTSEC-2026-0187",
"modified": "2026-06-26T09:58:24Z",
"published": "2026-06-21T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/lopdf"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0187.html"
},
{
"type": "REPORT",
"url": "https://github.com/J-F-Liu/lopdf/issues/502"
},
{
"type": "WEB",
"url": "https://github.com/J-F-Liu/lopdf/pull/503"
},
{
"type": "WEB",
"url": "https://github.com/J-F-Liu/lopdf/commit/c755394"
}
],
"related": [],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Stack overflow in lopdf via deeply nested PDF objects"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.