Remote Code Execution Risk in veraPDF Library
CVE-2024-52800
Key Information
- Vendor
- VeraPDF
- Status
- VeraPDF-library
- Vendor
- CVE Published:
- 29 November 2024
Badges
Summary
CVE-2024-52800 refers to a high-risk vulnerability within the veraPDF library, an open-source PDF/A validation tool. The vulnerability arises when executing policy checks using custom Schematron files via the command-line interface (CLI), which triggers an XSL transformation that could potentially allow for remote code execution (RCE). While this do not impact standard validation functionalities—since most users typically do not incorporate custom XSLT code into their policy profiles—the risk remains prevalent for those who opt for external scripts. Users are highly advised to load custom policy files only from reputable sources until an official patch is released. Awareness and cautious handling of XSLT code are vital in mitigating this vulnerability.
Affected Version(s)
veraPDF-library = <= 1.26.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved