SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-38526

CVE-2024-38526: pdoc Documentation Generator XSS Flaw

CVE-2024-38526 is a cross-site scripting vulnerability in pdoc that affects documentation generated with the --math flag by linking to compromised polyfill.io CDN. This article covers technical details, impact, and patches.

Updated:

CVE-2024-38526 Overview

pdoc provides API Documentation for Python Projects. Documentation generated with pdoc --math linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.

Critical Impact

High-severity vulnerability due to potential code execution from a supply chain attack.

Affected Products

  • pdoc versions before 14.5.1
  • Not Available
  • Not Available

Discovery Timeline

  • 2024-06-26 - CVE CVE-2024-38526 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-38526

Vulnerability Analysis

The vulnerability arises from the use of an external CDN (polyfill.io) that has been compromised to serve malicious scripts, which can be executed in the user's browser environment when pdoc --math is used.

Root Cause

The root cause lies in reliance on a third-party JavaScript library from polyfill.io, which upon acquisition by a malicious entity, now serves harmful code.

Attack Vector

Attackers utilize the Network attack vector by compromising the external JavaScript dependency and injecting malicious scripts into user browsers.

javascript
// Example exploitation code (sanitized)
<script src="https://cdn.polyfill.io/v2/polyfill.min.js"></script>
<iframe src="https://malicious-site.com/attack.js"></iframe>

Detection Methods for CVE-2024-38526

Indicators of Compromise

  • Unusual network requests to polyfill.io
  • Unexpected JavaScript execution
  • Suspicious iframes loading from unknown sources

Detection Strategies

Network monitoring for requests to suspicious domains, particularly polyfill.io, and browser-based anomalies in JavaScript execution.

Monitoring Recommendations

Deploy HTTP traffic analysis tools to flag unusual outbound requests and integrate with SIEM tools for alerting on anomalous activities.

How to Mitigate CVE-2024-38526

Immediate Actions Required

  • Lock JavaScript dependencies to known safe versions
  • Immediately update pdoc to version 14.5.1
  • Block outbound traffic to polyfill.io if feasible

Patch Information

Updating to pdoc version 14.5.1 resolves this vulnerability by removing the reliance on the compromised polyfill.io CDN.

Workarounds

Isolate documentation generation environments by using local JavaScript libraries rather than external CDNs to mitigate supply chain risks.

bash
# Configuration example
npm install local-polyfill-library 
export PDOC_OPTS='--no-external-js'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne