Remote Code Execution Risk in veraPDF Library

CVE-2024-52800

Currently unrated 🤨

Key Information

Vendor
VeraPDF
Status
VeraPDF-library
Vendor
CVE Published:
29 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

CVE-2024-52800 refers to a high-risk vulnerability within the veraPDF library, an open-source PDF/A validation tool. The vulnerability arises when executing policy checks using custom Schematron files via the command-line interface (CLI), which triggers an XSL transformation that could potentially allow for remote code execution (RCE). While this do not impact standard validation functionalities—since most users typically do not incorporate custom XSLT code into their policy profiles—the risk remains prevalent for those who opt for external scripts. Users are highly advised to load custom policy files only from reputable sources until an official patch is released. Awareness and cautious handling of XSLT code are vital in mitigating this vulnerability.

Affected Version(s)

veraPDF-library = <= 1.26.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)
.