Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chore: update pdfjs to 3.11.174, resolve CVE #1092

Merged
merged 2 commits into from
May 14, 2024
Merged

Chore: update pdfjs to 3.11.174, resolve CVE #1092

merged 2 commits into from
May 14, 2024
+16 −12

Conversation

shamoon
Copy link
Contributor

@shamoon shamoon commented May 13, 2024

Hey glad to see the project is still going! Thanks for merging my other update PR 🙏

Not to be annoying but I figured we might as well go to the latest 3.x, I also included a change to disable JS execution which is an acceptable solution to https://www.cve.org/CVERecord?id=CVE-2024-4367 AFAIK

Closes #1088
Supersedes #1089

@VadimDez VadimDez merged commit 1280c5f into VadimDez:master May 14, 2024
2 checks passed
@VadimDez VadimDez added this to the 10.2.0 milestone May 14, 2024
@shamoon shamoon deleted the update-pdfjs branch May 15, 2024 02:53
@janpapenbrock janpapenbrock mentioned this pull request May 15, 2024
Closed
@shamoon shamoon mentioned this pull request May 15, 2024
Merged
12 tasks
@manaskumar-tf
Copy link

@shamoon , vulnerability issue is not getting fixed with "ng2-pdf-viewer": "10.2.2" & "pdfjs-dist": "^3.11.174" version , any idea how to resolve this?

@Kiriguiri
Copy link

NPM is giving me this warning on audit. There is still a vulnerability issue.

image

@shamoon
Copy link
Contributor Author

shamoon commented Jun 4, 2024

Npm does not recognize the fix automatically because the dependency wasn’t upgraded. It was fixed using the described workaround.

@shamoon shamoon mentioned this pull request Jul 3, 2024
Closed
@shamoon shamoon mentioned this pull request Jul 27, 2024
Closed
@manaskumar-tf
Copy link

@shamoon, by when we can expect an update for this ng2-pdf-viewer version updated or npm audit does not through any vulnerability warning ?

@wghglory
Copy link

How about upgrading pdfjs-dist to v4?

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VadimDez VadimDez VadimDez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
10.2.0
Development

Successfully merging this pull request may close these issues.

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
5 participants
@shamoon @manaskumar-tf @Kiriguiri @wghglory @VadimDez