CVE-2024-38526 - How pdoc’s API Docs Became a Security Nightmare via polyfill.io

If you use pdoc to generate API documentation for your Python projects, you might want to check how your docs load JavaScript. A recent vulnerability, CVE-2024-38526, highlights how an innocent documentation script can open the door to malicious code, all thanks to a third-party CDN going rogue.

Let’s break down what happened, show you what to look for, and how to fix it.

What is pdoc?

pdoc is a popular tool for generating pretty HTML documentation for your Python code. You run a command like:

pdoc --math my_project/

...and it spits out a set of linked HTML files documenting your modules, with math rendering (thanks to MathJax).

The Math Rendering Problem

When you use the --math flag, your generated documentation supports math notation. To do this, pdoc’s HTML output included a reference to a CDN-hosted JavaScript file for math rendering support:

<script src="https://cdn.polyfill.io/v2/polyfill.min.js"></script>;

The idea: this script brings older browser support and some extra functionality needed by MathJax.

The Polyfill.io Disaster

Polyfill.io used to be a trusted community CDN for browser polyfills. But in early 2024, it was sold to a new operator. Shortly after, researchers including Feross Aboukhadijeh and others noticed it was serving obfuscated, malicious code to some users. (See this warning for details.)

What does this mean for you?

If your pdoc-generated documentation links to polyfill.io, and someone opens your docs in their browser, their session can be hijacked, or worse.

Open your API docs, and look for this

<script src="https://cdn.polyfill.io/v2/polyfill.min.js"></script>;

If you see it, your docs are potentially a vector for malware.

How Could This Be Exploited?

Anyone visiting your documentation site (could be colleagues, customers, or the public, depending how you share) will run whatever JavaScript is at that polyfill.io URL, *even if they trust you*. That script could:

- Steal cookies/session info

Attack your internal systems if your docs are on a private network

A real-world example of abuse: the new polyfill.io operator recently injected code to redirect some browsers to gambling ads and other dubious destinations. The same method could have done much worse if attackers wanted.

Official References

- pdoc GitHub Issue: Security issue with polyfill.io
- Polyfill.io Malware News: portswigger.net article
- CVE Description: nvd.nist.gov

The Fix: pdoc 14.5.1 and Above

pdoc maintainers moved FAST after the news broke. Starting version 14.5.1, pdoc no longer uses polyfill.io at all. It now ships with local polyfill code alongside your docs, keeping everything safe and self-contained.

`sh

pdoc --math my_project/

Optional: Check that the bad script tag is gone:

Open your generated .html files and use your browser’s “View Source.” You should no longer see any polyfill.io links.

Bottom Line

Even if you trust the tools you use, third-party dependencies, especially CDNs, can flip overnight. Audit your HTML output, especially anything using scripts from third-party sites.

Timeline

Published on: 06/26/2024 00:15:10 UTC
Last modified on: 07/02/2024 19:30:39 UTC