Miggo Logo
Miggo Vulnerability Database
CVE-2024-25885

CVE-2024-25885: xhtml2pdf Denial of Service via crafted string

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-25885
GHSA ID
GHSA-jj5c-hhrg-vv5h
EPSS Score
0.54255%
CWE
CWE-1333
Published
10/8/2024
Updated
10/9/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
xhtml2pdfpip<= 0.2.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. All vulnerability descriptions explicitly mention the getcolor function in utils.py as the source of ReDoS.
  2. The PoC demonstrates exploitation through color parameter manipulation handled by this function.
  3. CWE-1333 directly implicates regex inefficiency in color parsing logic.
  4. No other functions are referenced in advisories or PoC details. The path normalization matches Python package structure (xhtml2pdf/util.py).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in t** **t*olor *un*tion in utils.py o* x*tml*p** v*.*.** *llows *tt**k*rs to **us* * R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**OS) vi* supplyin* * *r**t** strin*.

Reasoning

*. *ll vuln*r**ility **s*riptions *xpli*itly m*ntion t** **t*olor *un*tion in utils.py *s t** sour** o* R**oS. *. T** Po* **monstr*t*s *xploit*tion t*rou** *olor p*r*m*t*r m*nipul*tion **n*l** *y t*is *un*tion. *. *W*-**** *ir**tly impli**t*s r***x i