漏洞描述
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io
CVE-2024-38526: Polyfill Supply Chain Attack Malicious Code Execution
PoC代码[已公开]
id: CVE-2024-38526
info:
name: Polyfill Supply Chain Attack Malicious Code Execution
author: abut0n
severity: high
description: |
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io
impact: |
The polyfill.io CDN has been sold and now serves malicious code.
remediation: |
This issue has been fixed in pdoc 14.5.1.
reference:
- https://sansec.io/research/polyfill-supply-chain-attack
- https://nvd.nist.gov/vuln/detail/CVE-2024-38526
- https://x.com/triblondon/status/1761852117579427975
- https://github.com/mitmproxy/pdoc/pull/703
- https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
cvss-score: 7.2
cve-id: CVE-2024-38526
epss-score: 0.78221
epss-percentile: 0.98988
tags: cve,cve2024,supply-chain,polyfill,vkev
headless:
- steps:
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitload
- action: script
name: extract
args:
code: |
() => {
return '\n' + [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n') + '\n'
}
extractors:
- type: kval
part: extract
name: urls
internal: true
kval:
- extract
matchers:
- type: word
words:
- "polyfill.io"
- "bootcdn.net"
- "bootcss.com"
- "staticfile.net"
- "staticfile.org"
- "unionadjs.com"
- "xhsbpza.com"
- "union.macoms.la"
- "newcrbpc.com"
part: urls
# digest: 4a0a00473045022100fe49aec7d7657cf37559e9aee314c2741bc716f091030db590072394e7a61cbd02204a2e8327b534b7a439b99311ad1374fdf21c0db1a1599b52af9260b9fc933c16:922c64590222798bb761d5b6d8e72950