Attacker Impact
An attacker who can control or influence the policy files used by veraPDF can perform Extensible Stylesheet Language Transformations (XSLT) injection [S2]. Depending on the configuration of the underlying XML/XSLT parser, this can lead to unauthorized information disclosure (such as reading local files), Server-Side Request Forgery (SSRF), or potentially arbitrary code execution on the host system running the veraPDF engine [S3].
Root Cause
The vulnerability (CVE-2024-28109) exists in affected veraPDF Maven artifacts, including org.verapdf:core, before their package-specific fixed release lines [S1, S2, S3]. When veraPDF processes PDF validation policies, it uses XSLT stylesheets to define and execute policy checks [S2]. If an application allows untrusted policy files or manually configures the XSLT processor with insecure defaults, an attacker may be able to inject malicious XSLT elements [S2].
Covered by FixVibe
FixVibe covers this advisory in GitHub repo scans by reading Maven and Gradle dependency declarations for affected org.verapdf artifacts [S2, S3]. Findings are reported as version-based advisory evidence with the dependency file, package, detected version or constraint, fixed version, confidence, detection type, and source quality. FixVibe does not execute veraPDF, process policy files, run XSLT payloads, read local files, or verify whether attacker-controlled policy files reach the dependency at runtime.
Concrete Fixes
- Upgrade veraPDF: Update affected veraPDF artifacts to the package-specific fixed version listed by the advisory, including 1.24.2 or later for the standard core/library artifacts [S2, S3].
- Secure XSLT Processor Configuration: If you manually configure the XML/XSLT parser used alongside veraPDF, ensure that features like
XMLConstants.FEATURE_SECURE_PROCESSINGare enabled, and external DTDs, stylesheets, and extension functions are explicitly disabled [S2].