Skip to content

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

High severity GitHub Reviewed Published May 6, 2024 in mozilla/pdf.js • Updated Jun 10, 2024

Package

npm pdfjs-dist (npm)

Affected versions

<= 4.1.392

Patched versions

4.2.67

Description

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval:
mozilla/pdf.js#18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

References

@calixteman calixteman published to mozilla/pdf.js May 6, 2024
Published to the GitHub Advisory Database May 7, 2024
Reviewed May 7, 2024
Published by the National Vulnerability Database May 14, 2024
Last updated Jun 10, 2024

Severity

High

Weaknesses

No CWEs

CVE ID

CVE-2024-4367

GHSA ID

GHSA-wgrm-67xf-hhpq

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.