cbcvebase.
CVE-2024-38526
published 2024-06-26

CVE-2024-38526: pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io…

PriorityP178high7.2CVSS 3.1
AVNACLPRNUINSCCLINAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.83%
88.8th percentile
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
mitmproxypdoc< 14.5.114.5.1
mitmproxypdoc>= 0 < 14.5.114.5.1

Detection & IOCsextracted from sources · hover to see the quote

domaincdn.polyfill.io
domainbootcdn.net
domainbootcss.com
domainstaticfile.net
domainstaticfile.org
domainunionadjs.com
domainxhsbpza.com
domainunion.macoms.la
domainnewcrbpc.com
urlhttps://kuurza.com/redirect?from=bitget
urlhttps://www.googie-anaiytics.com/html/checkcachehw.js
urlhttps://www.googie-anaiytics.com/ga.js
urlhttps://cdn.bootcss.com/highlight.js/9.7.0/highlight.min.js
urlhttps://union.macoms.la/jquery.min-4.0.2.js
urlhttps://newcrbpc.com/redirect?from=bscbc
domaingoogie-anaiytics.com
domainkuurza.com
  • Scan all page resources (src, href, url, action attributes) for references to any of the impacted polyfill-related domains; a match indicates compromise.
  • Match page-loaded URLs against the word list: polyfill.io, bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com to detect affected pages.
  • Use Qualys QID 152105 to detect pdoc-generated pages that load JavaScript from polyfill.io (CVE-2024-38526 specific).
  • Use Qualys QID 152102 to detect any page directly loading from the malicious polyfill.io CDN.
  • Use Qualys QID 731609 for VM-level detection of the polyfill.io supply chain vulnerability across assets.
  • ·The vulnerability is only triggered when pdoc is invoked with the --math flag, which causes the generated documentation to load JavaScript from cdn.polyfill.io.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
ghsa7.2HIGH
osv7.2HIGH
vulncheck7.2HIGH
vendor_oracle7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.