CVE-2024-38526

pdoc embeds link to malicious CDN if math mode is enabled

CVSS 0 NONEEPSS 3.8%CWE-1395

In short

pdoc, a tool for creating Python documentation, included links to a CDN service (polyfill.io) that was sold and now distributes malicious code when the math feature was enabled. This could cause malicious scripts to run in users' browsers when viewing the generated documentation.

Technical detail

pdoc versions prior to 14.5.1 embed third-party CDN links in generated HTML documentation when math mode is enabled. The polyfill.io domain changed ownership and now serves malicious JavaScript, creating a supply chain risk for documentation consumers. The attack vector is passive delivery through compromised CDN resources referenced in HTML output.

Summary generated and translated by AI from the official description.

pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L/E:H/RL:O/RC:C/MC:N/MI:N/MA:N

Affected products

mitmproxy · pdoc

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/mitmproxy/pdoc/pull/703 https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62 https://sansec.io/research/polyfill-supply-chain-attack https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526