CVE-2024-38526
published 2024-06-26CVE-2024-38526: pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io…
PriorityP178high7.2CVSS 3.1
AVNACLPRNUINSCCLINAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.83%
88.8th percentile
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitmproxy | pdoc | < 14.5.1 | 14.5.1 |
| mitmproxy | pdoc | >= 0 < 14.5.1 | 14.5.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Scan all page resources (src, href, url, action attributes) for references to any of the impacted polyfill-related domains; a match indicates compromise.
- →Match page-loaded URLs against the word list: polyfill.io, bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com to detect affected pages.
- →Use Qualys QID 152105 to detect pdoc-generated pages that load JavaScript from polyfill.io (CVE-2024-38526 specific). ↗
- →Use Qualys QID 152102 to detect any page directly loading from the malicious polyfill.io CDN. ↗
- →Use Qualys QID 731609 for VM-level detection of the polyfill.io supply chain vulnerability across assets. ↗
- ·The vulnerability is only triggered when pdoc is invoked with the --math flag, which causes the generated documentation to load JavaScript from cdn.polyfill.io. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
ghsa7.2HIGH
osv7.2HIGH
vulncheck7.2HIGH
vendor_oracle7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
pdoc embeds link to malicious CDN if math mode is enabled
ghsa·2024-06-25·CVSS 7.2
CVE-2024-38526 [HIGH] pdoc embeds link to malicious CDN if math mode is enabled
pdoc embeds link to malicious CDN if math mode is enabled
### Impact
Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io.
The polyfill.io CDN has been sold and now serves malicious code.
Users who produce documentation with math mode should update immediately. All other users are unaffected.
### Patches
This issue has been fixed in pdoc 14.5.1.
### References
https://github.com/mitmproxy/pdoc/pull/703
https://sansec.io/research/polyfill-supply-chain-attack
### Timeline
- **[2024-06-25]** https://sansec.io/research/polyfill-supply-chain-attack is published.
- **[2024-06-25 20:54 UTC]** Issue reported to the pdoc project by @adhintz.
- **[2024-06-25 21:33 UTC]** Patched version released.
- **[2024-06-25 21:37 UTC]** Security advisory published.
- *
OSV
pdoc embeds link to malicious CDN if math mode is enabled
osv·2024-06-25·CVSS 7.2
CVE-2024-38526 [HIGH] pdoc embeds link to malicious CDN if math mode is enabled
pdoc embeds link to malicious CDN if math mode is enabled
### Impact
Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io.
The polyfill.io CDN has been sold and now serves malicious code.
Users who produce documentation with math mode should update immediately. All other users are unaffected.
### Patches
This issue has been fixed in pdoc 14.5.1.
### References
https://github.com/mitmproxy/pdoc/pull/703
https://sansec.io/research/polyfill-supply-chain-attack
### Timeline
- **[2024-06-25]** https://sansec.io/research/polyfill-supply-chain-attack is published.
- **[2024-06-25 20:54 UTC]** Issue reported to the pdoc project by @adhintz.
- **[2024-06-25 21:33 UTC]** Patched version released.
- **[2024-06-25 21:37 UTC]** Security advisory published.
- *
VulnCheck
pdoc API Documentation for Python Projects 'pdoc --math' Vulnerability
vulncheck·2024·CVSS 7.2
CVE-2024-38526 [HIGH] pdoc API Documentation for Python Projects 'pdoc --math' Vulnerability
pdoc API Documentation for Python Projects 'pdoc --math' Vulnerability
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code.
Affected: pdoc API Documentation for Python Projects
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://45734016.fs1.hubspotusercontent-na1.net/hubfs/45734016/THREATMON%20GLOBAL%20CYBER%20THREAT%20REPORT%202024_H1.pdf; https://45734016.fs1.hubspotusercontent-na1.net/hubfs/45734016/GLOBAL%20CYBER%20THREAT%20REPORT%202024%20.pdf
Oracle
Oracle Oracle Siebel CRM Risk Matrix: EAI, UI (Oxygen XML WebHelp) — CVE-2024-38526
vendor_oracle·2025-01-15·CVSS 7.2
CVE-2024-38526 [HIGH] Oracle Oracle Siebel CRM Risk Matrix: EAI, UI (Oxygen XML WebHelp) — CVE-2024-38526
Oracle Oracle Siebel CRM Risk Matrix: EAI, UI (Oxygen XML WebHelp) vulnerability
CVE: CVE-2024-38526
CVSS: 7.2
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2025 (JAN 2025)
No detection rules found.
Nuclei
Polyfill Supply Chain Attack Malicious Code Execution
nuclei·CVSS 7.2
CVE-2024-38526 [HIGH] Polyfill Supply Chain Attack Malicious Code Execution
Polyfill Supply Chain Attack Malicious Code Execution
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io
Template:
id: CVE-2024-38526
info:
name: Polyfill Supply Chain Attack Malicious Code Execution
author: abut0n
severity: high
description: |
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io
impact: |
The polyfill.io CDN has been sold and now serves malicious code.
remediation: |
This issue has been fixed in pdoc 14.5.1.
reference:
- https://sansec.io/research/polyfill-supply-chain-attack
- https://nvd.nist.gov/vuln/detail/CVE-2024-38526
- https://x.com/triblondon/status/1761852117579427975
- https://github.
Qualys
Polyfill.io Supply Chain Attack: What You Need to Know | Qualys
blogs_qualys·2024-06-29
Polyfill.io Supply Chain Attack: What You Need to Know | Qualys
#### Table of Contents
- Polyfill.io Timeline:
- How Websites Became Vulnerable Due to Polyfill.io
- Steps Taken to Notify Affected Users and Domain Owners of the Polyfill.io Attack
- How Qualys Helps Secure Your Website from Polyfill.io Vulnerabilities
- Using VMDR Scan to Detect Polyfill Vulnerability and Protect Your Assets
- How Web Application Scans Can Detect Polyfill.io Vulnerability on Your Website
- Web Malware Scan to detect malware on your website
- References:
The polyfill.js is a popular open-source library that helps older browsers support functionality in newer browsers. Thousands of sites embed it using the cdn[.]polyfill[.]io domain. In February 2024, a Chinese company (Funnull) bought the domain and the GitHub account. The company has modified Polyfill.js so malicious c
Qualys
Understanding the Polyfill.io Supply Chain Attack and Its Impact
blogs_qualys·2024-06-29
Understanding the Polyfill.io Supply Chain Attack and Its Impact
## Table of Contents
Polyfill.io Timeline:
How Websites Became Vulnerable Due to Polyfill.io
Steps Taken to Notify Affected Users and Domain Owners of the Polyfill.io Attack
How Qualys Helps Secure Your Website from Polyfill.io Vulnerabilities
Using VMDR Scan to Detect Polyfill Vulnerability and Protect Your Assets
How Web Application Scans Can Detect Polyfill.io Vulnerability on Your Website
Web Malware Scan to detect malware on your website
References:
The polyfill.js is a popular open-source library that helps older browsers support functionality in newer browsers. Thousands of sites embed it using the cdn[.]polyfill[.]io domain. In February 2024, a Chinese company (Funnull) bought the domain and the GitHub account. The company has modified Polyfill.js so malicious code would b
https://github.com/mitmproxy/pdoc/pull/703https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62https://sansec.io/research/polyfill-supply-chain-attackhttps://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526https://github.com/mitmproxy/pdoc/pull/703https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62https://sansec.io/research/polyfill-supply-chain-attackhttps://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526
2024-06-26
Published
Exploited in the wild