pdoc embeds link to malicious CDN if math mode is enabled

@adhintz

Impact

Documentation generated with pdoc --math linked to JavaScript files from polyfill.io.
The polyfill.io CDN has been sold and now serves malicious code.

Users who produce documentation with math mode should update immediately. All other users are unaffected.

Patches

This issue has been fixed in pdoc 14.5.1.

References

mitmproxy/pdoc#703
https://sansec.io/research/polyfill-supply-chain-attack

Timeline

[2024-06-25] https://sansec.io/research/polyfill-supply-chain-attack is published.
[2024-06-25 20:54 UTC] Issue reported to the pdoc project by @adhintz.
[2024-06-25 21:33 UTC] Patched version released.
[2024-06-25 21:37 UTC] Security advisory published.
[2024-06-25 23:49 UTC] CVE-2024-38526 assigned by GitHub.

References

mhils published to mitmproxy/pdoc Jun 25, 2024

Published to the GitHub Advisory Database Jun 25, 2024

Reviewed Jun 25, 2024

Published by the National Vulnerability Database Jun 26, 2024

Last updated Jul 26, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

References

Timeline

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code

Credits