Skip to main content

RaTeX ratex-parser CVE-2026-53531

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-07-07 https://github.com/erweixin/RaTeX GHSA-4w5h-hx6r-28q7
Share

Severity by source

vuln.today AI
7.5 HIGH

Network-reachable via untrusted LaTeX input with no authentication or preconditions; sole impact is reliable full-process crash (A:H); no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 00:26 vuln.today

DescriptionCVE.org

Summary

RaTeX’s recursive-descent parser recurses one (or more) native stack frame per nesting level at {, \left, \sqrt{, ^{, etc, with no maximum depth limit. A short, ~10 KB input of nested groups overflows the 8 MB main-thread stack and aborts the process. With panic = "abort" (Cargo.toml:48), and because a Rust stack overflow is always a fatal SIGABRT regardless of panic strategy this is an unrecoverable, whole-process denial of service reachable from a single untrusted LaTeX string.

Details

The mutual recursion has no depth guard (crates/ratex-parser/src/parser.rs):

parse_expression (:113)  ->  parse_atom (:281/285)  ->  parse_group (:451)
                                  ^                          |
                                  |   on '{' (:459) recurse  |
                                  +--------------------------+

\left adds another recursive edge: handle_leftparse_expression (crates/ratex-parser/src/functions/left_right.rs:47). The only counters present are unrelated to depth: leftright_depth (a \right-matching counter, parser.rs:24) and the macro expander’s max_expand = 1000 (macro_expander.rs:64), which does not gate brace / \left recursion (those tokens never pass through expand_once). There is no recursion_limit/depth parameter on parse_group, parse_expression, or parse_atom.

PoC

<img width="1097" height="158" alt="image" src="https://github.com/user-attachments/assets/29b837a2-c455-4cb6-a055-514b31c999c6" />

$ python3 -c 'import sys;sys.stdout.write("{"*200000+"x"+"}"*200000)' | ./target/release/parse
thread 'main' has overflowed its stack
fatal runtime error: stack overflow, aborting
Aborted (core dumped)
# exit 134

(Other nesting forms work equally, e.g. \left(×N, \sqrt{×N, ^{×N.)

Impact

A single small request crashes the whole RaTeX process. In a typical server-side math-rendering service this is a reliable, unauthenticated DoS; on smaller worker-thread stacks (e.g. a 512 KB async runtime thread) only a few hundred bytes of nesting are required.

AnalysisAI

Unbounded recursive descent in the RaTeX Rust crate ratex-parser crashes the entire host process when fed deeply nested LaTeX input. The mutual recursion across parse_expression, parse_atom, and parse_group in crates/ratex-parser/src/parser.rs carries no depth guard, so roughly 200,000 nested braces (~400 KB of input, or far less on async worker threads with 512 KB stacks) exhausts the native OS stack and triggers a fatal SIGABRT from which the process cannot recover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted LaTeX to math-rendering endpoint
Delivery
Parser recurses one stack frame per nesting level
Exploit
Native OS stack exhausted (~200k levels / 8MB)
Execution
SIGABRT terminates entire process
Impact
Service unavailable until restarted

Vulnerability AssessmentAI

Exploitation No special conditions are required for exploitation against default deployments that expose LaTeX input to untrusted users - any service forwarding user-supplied LaTeX to ratex-parser is vulnerable without additional configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score is present in the available data; all metric assessments below are independently derived from the description and PoC. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a single HTTP request containing a LaTeX string composed of 200,000 opening brace characters followed by a token and 200,000 closing braces to a server-side math rendering endpoint backed by ratex-parser. The parser's recursive descent allocates one native stack frame per nesting level; at ~200,000 levels the 8 MB main-thread stack is exhausted, SIGABRT is delivered, and the entire rendering service process terminates. …
Remediation No patched version of ratex-parser is confirmed in the advisory data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy