CVE-2024-52800

veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. This issue has not yet been patched. Users are advised to be cautious of XSLT code until a patch is available.

CVSS

No CVSS.

References

Link	Resource
https://github.com/veraPDF/veraPDF-library/issues/1488
https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-4cx5-89vm-833x

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) veraPDF es una librería de validación PDF/A de código abierto. La ejecución de comprobaciones de políticas mediante archivos Schematron personalizados a través de la CLI invoca una transformación XSL que, en teoría, puede provocar una vulnerabilidad de ejecución remota de código (RCE). Esto no afecta a la funcionalidad estándar de validación y comprobaciones de políticas, que son los casos de uso más comunes de veraPDF. La mayoría de los usuarios de veraPDF no insertan ningún código XSLT personalizado en los perfiles de políticas, que se basan en la sintaxis de Schematron en lugar de en transformaciones XSL directas. Los usuarios que sí lo hacen deben cargar únicamente archivos de políticas personalizados de fuentes en las que confíen. Este problema aún no se ha solucionado. Se recomienda a los usuarios que tengan cuidado con el código XSLT hasta que haya un parche disponible.

29 Nov 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-29 19:15

Updated : 2026-06-17 08:07

NVD link : CVE-2024-52800

Mitre link : CVE-2024-52800

CVE.ORG link : CVE-2024-52800

JSON object : View

Products Affected

No product.

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2024-52800", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2024-52800", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-02T11:17:25.404338Z"}}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "veraPDF", "product": "veraPDF-library", "versions": [{"status": "affected", "version": "<= 1.26.1"}]}]}], "published": "2024-11-29T19:15:08.713", "references": [{"url": "https://github.com/veraPDF/veraPDF-library/issues/1488", "source": "security-advisories@github.com"}, {"url": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-4cx5-89vm-833x", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. This issue has not yet been patched. Users are advised to be cautious of XSLT code until a patch is available."}, {"lang": "es", "value": "veraPDF es una librer\u00eda de validaci\u00f3n PDF/A de c\u00f3digo abierto. La ejecuci\u00f3n de comprobaciones de pol\u00edticas mediante archivos Schematron personalizados a trav\u00e9s de la CLI invoca una transformaci\u00f3n XSL que, en teor\u00eda, puede provocar una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE). Esto no afecta a la funcionalidad est\u00e1ndar de validaci\u00f3n y comprobaciones de pol\u00edticas, que son los casos de uso m\u00e1s comunes de veraPDF. La mayor\u00eda de los usuarios de veraPDF no insertan ning\u00fan c\u00f3digo XSLT personalizado en los perfiles de pol\u00edticas, que se basan en la sintaxis de Schematron en lugar de en transformaciones XSL directas. Los usuarios que s\u00ed lo hacen deben cargar \u00fanicamente archivos de pol\u00edticas personalizados de fuentes en las que conf\u00eden. Este problema a\u00fan no se ha solucionado. Se recomienda a los usuarios que tengan cuidado con el c\u00f3digo XSLT hasta que haya un parche disponible."}], "lastModified": "2026-06-17T08:07:39.087", "sourceIdentifier": "security-advisories@github.com"}