Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01dmdqLWdnbTQtZmc2Ms4AA9W1

pdoc embeds link to malicious CDN if math mode is enabled

Impact

Documentation generated with pdoc --math linked to JavaScript files from polyfill.io.
The polyfill.io CDN has been sold and now serves malicious code.

Users who produce documentation with math mode should update immediately. All other users are unaffected.

Patches

This issue has been fixed in pdoc 14.5.1.

References

https://github.com/mitmproxy/pdoc/pull/703
https://sansec.io/research/polyfill-supply-chain-attack

Timeline

Permalink: https://github.com/advisories/GHSA-5vgj-ggm4-fg62
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01dmdqLWdnbTQtZmc2Ms4AA9W1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 19 days ago
Updated: 18 days ago


CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

Identifiers: GHSA-5vgj-ggm4-fg62, CVE-2024-38526
References: Repository: https://github.com/mitmproxy/pdoc
Blast Radius: 18.6

Affected Packages

pypi:pdoc
Dependent packages: 192
Dependent repositories: 388
Downloads: 260,432 last month
Affected Version Ranges: < 14.5.1
Fixed in: 14.5.1
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2, 0.4.1, 1.0.0, 1.0.1, 1.1.0, 2.0.0, 3.0.0, 3.0.1, 4.0.0, 5.0.0, 6.0.0, 6.1.0, 6.1.1, 6.2.0, 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.6.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.2.0, 7.3.0, 7.3.1, 7.4.0, 8.0.0, 8.0.1, 8.1.0, 8.2.0, 8.3.0, 9.0.0, 9.0.1, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 11.0.0, 11.1.0, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.2.0, 12.2.1, 12.2.2, 12.3.0, 12.3.1, 13.0.0, 13.0.1, 13.1.0, 13.1.1, 14.0.0, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.5.0
All unaffected versions: 14.5.1