CVE-2024-38526
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/06/2024
Last modified:
15/04/2026
Description
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.
Impact
Base Score 3.x
7.20
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/mitmproxy/pdoc/pull/703
- https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
- https://sansec.io/research/polyfill-supply-chain-attack
- https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526
- https://github.com/mitmproxy/pdoc/pull/703
- https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
- https://sansec.io/research/polyfill-supply-chain-attack
- https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526