GHSA-5vgj-ggm4-fg62: pdoc embeds link to malicious CDN if math mode is enabled

June 25, 2024 (updated June 28, 2024)

Documentation generated with pdoc --math linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code.

Users who produce documentation with math mode should update immediately. All other users are unaffected.

References

github.com/advisories/GHSA-5vgj-ggm4-fg62
github.com/mitmproxy/pdoc
github.com/mitmproxy/pdoc/commit/726b8f2e365fe8afeb3604a7c73d19b460395d58
github.com/mitmproxy/pdoc/pull/703
github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
sansec.io/research/polyfill-supply-chain-attack

Code Behaviors & Features

Detect and mitigate GHSA-5vgj-ggm4-fg62 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →