Improper Validation of Specified Quantity in Input Affecting oxidize-pdf package, versions <2.6.0

Q: How to fix?

Upgrade oxidize-pdf to version 2.6.0 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-OXIDIZEPDF-16734494
published18 May 2026
disclosed11 May 2026
creditbzsanti

Report a new vulnerability Found a mistake?

Introduced: 11 May 2026

NewCWE-1284 (opens in a new tab)

How to fix?

Upgrade oxidize-pdf to version 2.6.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input via the emission of non-finite color values in the content stream. An attacker can cause PDF viewers to reject the content stream, affected page, or entire document by supplying specially crafted color values such as NaN or infinity, which are not valid PDF numeric tokens and bypass input clamping when constructed directly through public enum variants.

Workaround

This vulnerability can be mitigated by always constructing colors via safe constructors that clamp values, avoiding direct enum construction from untrusted input, and validating color components to ensure they are finite before passing them to the API.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None