CVE-2024-38526
Published: 26 June 2024
Summary
CVE-2024-38526 is a high-severity an unspecified weakness vulnerability in Sansec (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
pdoc is a tool that generates API documentation for Python projects. When invoked with the --math flag, affected versions embed references to JavaScript files hosted on the polyfill.io CDN; after the CDN was acquired, it began serving malicious code, creating a supply-chain exposure for any documentation built with that option. The issue is tracked as CVE-2024-38526 and carries a CVSS 3.1 score of 7.2.
An attacker who compromises or controls the polyfill.io domain can deliver arbitrary JavaScript to any user who views HTML documentation generated by an unpatched pdoc run with --math. Because the CDN reference is included at generation time and requires no authentication or user interaction beyond loading the page, the exposure affects both the documentation authors and all downstream viewers across network boundaries.
The project addressed the problem in release 14.5.1 by removing the dependency on polyfill.io. The accompanying GitHub Security Advisory and pull request 703 recommend upgrading immediately and regenerating documentation with the patched version; no further configuration changes are required. The EPSS score has remained elevated near its recorded peak of 0.86.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1935
Vulnerability details
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.