Remote Code Execution Risk in veraPDF Library
CVE-2024-52800

Currently unrated

Key Information:

Vendor

VeraPDF

Status
VeraPDF-library
Vendor
CVE Published:
29 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-52800?

CVE-2024-52800 refers to a high-risk vulnerability within the veraPDF library, an open-source PDF/A validation tool. The vulnerability arises when executing policy checks using custom Schematron files via the command-line interface (CLI), which triggers an XSL transformation that could potentially allow for remote code execution (RCE). While this do not impact standard validation functionalities—since most users typically do not incorporate custom XSLT code into their policy profiles—the risk remains prevalent for those who opt for external scripts. Users are highly advised to load custom policy files only from reputable sources until an official patch is released. Awareness and cautious handling of XSLT code are vital in mitigating this vulnerability.

Affected Version(s)

veraPDF-library <= 1.26.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

GHSA-4cx5-89vm-833x-POC
Created by JAckLosingHeart

References

https://github.com/veraPDF/veraPDF-library/security/advis...
x_refsource_CONFIRM
https://github.com/veraPDF/veraPDF-library/issues/1488
x_refsource_MISC

EPSS Score

6% chance of being exploited in the next 30 days.

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.