Malicious Code in Polyfill.io CDN Affects pdoc API Documentation
CVE-2024-38526

7.2HIGH

Key Information:

Vendor: Mitmproxy
Status: Pdoc
Vendor: CVE Published:; 26 June 2024

What is CVE-2024-38526?

CVE-2024-38526 is a vulnerability affecting the pdoc API documentation generator, which is typically utilized for creating documentation for Python projects. This flaw arises from malicious code being served through the polyfill.io content delivery network (CDN) that pdoc links to when generating documentation with certain options. If exploited, this vulnerability could allow attackers to manipulate documentation files, potentially leading to the execution of unwanted or harmful scripts, thereby posing a significant risk to organizations that depend on pdoc for their API documentation.

Technical Details

The root of CVE-2024-38526 lies in the way pdoc integrates with polyfill.io, a CDN that has undergone ownership changes and is now serving compromised content. Specifically, documentation generated using the command pdoc --math inadvertently links to JavaScript resources from this CDN. The malicious code introduced through this medium can affect the integrity and security of the generated documentation. Mitmproxy, the vendor behind pdoc, has released version 14.5.1 to address this issue and safeguard users against potential attacks.

Potential Impact of CVE-2024-38526

Malicious Code Execution: The vulnerability may allow attackers to inject and execute malicious scripts within the documentation generated by pdoc, potentially leading to unauthorized access to sensitive information or manipulation of the user’s environment.
Trust and Credibility Compromise: Organizations relying on pdoc for their API documentation risk losing credibility with users and stakeholders if compromised documentation is served, leading to a loss of trust in their technical resources.
Reputational Damage: The exploitation of this vulnerability can result in significant reputational harm to affected organizations, as they may be associated with the distribution of malicious content, which could have long-term implications for their brand and partnership opportunities.