Headline
GHSA-5vgj-ggm4-fg62: pdoc embeds link to malicious CDN if math mode is enabled
Impact
Documentation generated with pdoc --math linked to JavaScript files from polyfill.io.
The polyfill.io CDN has been sold and now serves malicious code.
Users who produce documentation with math mode should update immediately. All other users are unaffected.
Patches
This issue has been fixed in pdoc 14.5.1.
References
https://github.com/mitmproxy/pdoc/pull/703 https://sansec.io/research/polyfill-supply-chain-attack
Timeline
- [2024-06-25] https://sansec.io/research/polyfill-supply-chain-attack is published.
- [2024-06-25 20:54 UTC] Issue reported to the pdoc project by @adhintz.
- [2024-06-25 21:33 UTC] Patched version released.
- [2024-06-25 21:37 UTC] Security advisory published.
Package
pip pdoc (pip)
Affected versions
< 14.5.1
Patched versions
14.5.1
Description
Impact
Documentation generated with pdoc --math linked to JavaScript files from polyfill.io.
The polyfill.io CDN has been sold and now serves malicious code.
Users who produce documentation with math mode should update immediately. All other users are unaffected.
Patches
This issue has been fixed in pdoc 14.5.1.
References
mitmproxy/pdoc#703
https://sansec.io/research/polyfill-supply-chain-attack
Timeline
- [2024-06-25] https://sansec.io/research/polyfill-supply-chain-attack is published.
- [2024-06-25 20:54 UTC] Issue reported to the pdoc project by @adhintz.
- [2024-06-25 21:33 UTC] Patched version released.
- [2024-06-25 21:37 UTC] Security advisory published.
References
- GHSA-5vgj-ggm4-fg62
- mitmproxy/pdoc#703
- https://sansec.io/research/polyfill-supply-chain-attack
- mitmproxy/pdoc@726b8f2
mhils published to mitmproxy/pdoc
Jun 25, 2024
Published to the GitHub Advisory Database
Jun 25, 2024
Reviewed
Jun 25, 2024
Last updated
Jun 25, 2024