CVE-2024-52800: veraPDF CLI has potential XXE (XML External Entity Injection) vulnerability

December 2, 2024 (updated January 10, 2025)

Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.

References

github.com/advisories/GHSA-4cx5-89vm-833x
github.com/veraPDF/veraPDF-library
github.com/veraPDF/veraPDF-library/issues/1488
github.com/veraPDF/veraPDF-library/security/advisories/GHSA-4cx5-89vm-833x
nvd.nist.gov/vuln/detail/CVE-2024-52800

Code Behaviors & Features

Detect and mitigate CVE-2024-52800 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →