CVE-2024-28109

Name of the Vulnerable Software and Affected Versions veraPDF-library versions prior to 1.24.2

Description The veraPDF-library, a PDF/A validation library, has a remote code execution (RCE) vulnerability when executing policy checks using custom schematron files. This invokes an XSL transformation that could lead to RCE. Most users are not affected as they do not insert custom XSLT code into policy profiles. For users who do, it is recommended to only load custom policy files from trusted sources.

Recommendations For versions prior to 1.24.2, upgrade to version 1.24.2 to fix the vulnerability. As a temporary workaround, consider only loading custom policy files from sources you trust, to minimize the risk of exploitation.