The hook
veraPDF is often used in document validation pipelines where policy files and Schematron profiles can become part of the processing surface. CVE-2024-28109 is tied to affected veraPDF packages before their fixed release lines; FixVibe treats a repo match as dependency evidence, not proof that custom policy files are attacker-controlled in production.
Kaip tai veikia
The repo check looks for affected `org.verapdf` Maven coordinates in Java build files. Exact declared versions produce the strongest signal, including versions referenced through local Maven properties. The finding stays scoped to dependency evidence and does not claim FixVibe ran veraPDF, processed policy files, or executed XSLT.
The blast radius
If an affected veraPDF runtime processes untrusted custom policy files under the advisory conditions, XSLT behavior may cross into sensitive file or code-execution boundaries. A repo match should trigger dependency-tree review, runtime input review, artifact rebuild, and deployment verification before anyone treats it as confirmed exploitability.
// what fixvibe checks
What FixVibe checks
FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Ironclad defenses
Upgrade affected veraPDF artifacts to the package-specific fixed version, regenerate Maven or Gradle metadata, and rebuild the deployed artifact or image. If the app accepts custom veraPDF policy files or validation profiles, allow only trusted sources and verify secure XSLT processing settings remain enabled after the upgrade.