CVE-2024-38526: pdoc API Documentation Vulnerability via polyfill.io Compromise, Exploit Details, and Remediation

In this post, we will discuss a recent vulnerability in the pdoc, an API Documentation tool for Python projects. We will analyze the specific vulnerability identifier CVE-2024-38526, the underlying exploit details, and the solution to resolve this issue.

Overview

pdoc is a popular Python library that helps developers automatically generate API documentation for their projects. Recently, the library has been found to contain a significant security vulnerability due to a reliance on third-party JavaScript files from the now compromised polyfill.io. We will refer to this as CVE-2024-38526.

The vulnerability exists because pdoc version 14.5. and earlier linked to JavaScript files served by polyfill.io which have since been replaced by malicious code. An attacker can exploit this vulnerability to execute arbitrary JavaScript on the user's end, potentially leading to the theft of sensitive information and unauthorized actions.

Let's delve deeper into the exploit details and the agreed-upon fix for this issue.

Exploit Details

When using the pdoc --math command to generate documentation, the polyfill.io CDN would be included to allow the LaTeX math equations to display properly in various browsers.

A code snippet of the affected pdoc --math usage

# Usage of pdoc --math command in affected pdoc versions
import pdoc

pdoc.cli.sys.argv.append('--math')
pdoc.cli.main()

The issue primarily lies in the injection of the JavaScript files served by the compromised polyfill.io. As a result, users viewing the documentation would unknowingly be executing malicious JavaScript.

Original reference to polyfill.io, from the pdoc source code in version 14.5. and earlier

<!-- Affected pdoc script tag -->
<script src="https://polyfill.io/v3/polyfill.min.js?features=es6,elem-dataset,fetch"></script>;

With the malicious code from polyfill.io, an attacker can manipulate the user's browser, steal sensitive information, or perform unauthorized actions on the user's behalf.

Solution and Remediation

The pdoc maintainers have been quick to address this issue and released a patch in version 14.5.1 – which no longer includes the polyfill.io JavaScript files in the generated documentation.

To resolve this vulnerability, users are recommended to update their pdoc installation to version 14.5.1 or later. If you're not sure which version you're currently using, you can check it using the following command:

pip show pdoc

To update your pdoc installation, simply run the following command

pip install --upgrade pdoc

Conclusion

In today's interconnected world, software projects can quickly become insecure due to dependencies on external services and resources. CVE-2024-38526 is a prime example of how reliance on a third-party CDN can lead to significant security vulnerabilities in a trusted tool like pdoc.

Users and maintainers of pdoc should be aware of this issue and should update their installations promptly to ensure that their Python projects' documentation remains secure and free from potential attacks. If you want to learn more about this vulnerability and the steps taken to mitigate it, consider reviewing the official pdoc GitHub repository here.

Timeline

Published on: 06/26/2024 00:15:10 UTC
Last modified on: 07/02/2024 19:30:39 UTC