What is CVE-2024-38526?

CVE-2024-38526 is a vulnerability in Mitmproxy Pdoc, classified under CWE-1395. Published 2024-06-25.

Is CVE-2024-38526 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Mitmproxy Pdoc

CVE-2024-38526

pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc…

EPSS: 0.829 (99.3th percentile) — read the EPSS interpretation.

Affected products

Mitmproxy Pdoc — versions < 14.5.1

Weakness classification (CWE)

CWE-1395

Public proof-of-concept exploits

References

https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62 (x_refsource_CONFIRM)
https://github.com/mitmproxy/pdoc/pull/703 (x_refsource_MISC)
https://sansec.io/research/polyfill-supply-chain-attack (x_refsource_MISC)
www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526

Frequently asked questions

What is CVE-2024-38526?: CVE-2024-38526 is a vulnerability in Mitmproxy Pdoc, classified under CWE-1395. Published 2024-06-25.
Is CVE-2024-38526 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.