Vulnerability Description
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.
CVSS Score
HIGH
References
- https://github.com/mitmproxy/pdoc/pull/703
- https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
- https://sansec.io/research/polyfill-supply-chain-attack
- https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526
- https://github.com/mitmproxy/pdoc/pull/703
- https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
- https://sansec.io/research/polyfill-supply-chain-attack
- https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526
FAQ
What is CVE-2024-38526?
CVE-2024-38526 is a vulnerability with a CVSS score of 7.2 (HIGH). pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious ...
How severe is CVE-2024-38526?
CVE-2024-38526 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-38526?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.