Login Sign Up

CVE-2024-45508

9.8 CRITICAL

📋 TL;DR

CVE-2024-45508 is a critical out-of-bounds write vulnerability in HTMLDOC's PDF/PS parsing functionality. Attackers can exploit this to execute arbitrary code or cause denial of service by processing specially crafted HTML documents. All systems running vulnerable HTMLDOC versions are affected when processing untrusted HTML input.

💻 Affected Systems

Products:
  • HTMLDOC
Versions: All versions before 1.9.19
Operating Systems: All platforms where HTMLDOC runs (Linux, Windows, macOS, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when parsing HTML documents containing whitespace-only nodes in paragraph contexts.

📦 What is this software?

Htmldoc by Htmldoc Project

View all CVEs affecting Htmldoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the HTMLDOC process, potentially leading to complete system compromise.

🟠

Likely Case

Denial of service (application crash) or limited memory corruption leading to unstable behavior.

🟢

If Mitigated

No impact if HTMLDOC is not processing untrusted HTML documents or if proper input validation is implemented.

🌐 Internet-Facing: HIGH if HTMLDOC processes user-uploaded HTML files or web content.
🏢 Internal Only: MEDIUM if used for internal document processing with potentially malicious content.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires feeding malicious HTML to HTMLDOC. No authentication needed if HTMLDOC processes external input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.19

Vendor Advisory: https://github.com/michaelrsweet/htmldoc/blob/2d5b2ab9ddbf2aee2209010cebc11efdd1cab6e2/CHANGES.md

Restart Required: No

Instructions:

1. Download HTMLDOC 1.9.19 or later from official repository. 2. Compile and install following standard build procedures. 3. Replace existing HTMLDOC binary with patched version.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to reject or sanitize HTML documents containing suspicious whitespace patterns.

Process Isolation

all

Run HTMLDOC in a sandboxed or containerized environment with minimal privileges.

🧯 If You Can't Patch

  • Disable HTMLDOC processing of untrusted documents
  • Implement network segmentation to limit HTMLDOC exposure

🔍 How to Verify

Check if Vulnerable:

Check HTMLDOC version with 'htmldoc --version' and verify it's below 1.9.19

Check Version:

htmldoc --version

Verify Fix Applied:

Confirm version is 1.9.19 or higher and test with known problematic HTML samples

📡 Detection & Monitoring

Log Indicators:

  • HTMLDOC process crashes
  • Memory access violation errors in system logs
  • Abnormal termination of HTMLDOC processes

Network Indicators:

  • Unusual HTML file uploads to systems using HTMLDOC
  • Multiple failed HTML processing attempts

SIEM Query:

process_name:"htmldoc" AND (event_type:"crash" OR exit_code:139 OR exit_code:-1073741819)

📊 Metadata

CVE ID: CVE-2024-45508
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: September 1, 2024
Last Updated: September 4, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45508, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)