Cyber Resilience

CVE-2024-52800

Low

Published: 29 November 2024

Published
29 November 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1249 94.1th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52800 is a low-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability. Its CVSS base score is 2.3 (Low).

Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

veraPDF, an open source PDF/A validation library, contains a theoretical remote code execution issue when policy checks are executed via the command-line interface using custom schematron files. The CLI path invokes an XSL transformation that could be abused, though the flaw does not affect standard validation or the library’s common policy-check usage that relies on Schematron syntax rather than direct XSLT. The vulnerability is tracked as CWE-611 and carries a CVSS 4.0 score of 2.3.

An attacker would need to supply a malicious custom policy file containing XSLT to a user who then processes it on the CLI; successful exploitation could permit arbitrary code execution on the victim system. The attack requires user interaction and is limited to those who deliberately load untrusted custom XSLT-based profiles, which the project states is uncommon.

The GitHub security advisory GHSA-4cx5-89vm-833x confirms the issue is still unpatched. It recommends that users load custom policy files only from trusted sources and avoid untrusted XSLT content until a fix is released. The associated EPSS values (current 0.1249, peak 0.1682) have not shown a pronounced climb from a low baseline.

EU & UK References

Vulnerability details

veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and…

more

policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. This issue has not yet been patched. Users are advised to be cautious of XSLT code until a patch is available.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

References