Skip to content

react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js

High severity GitHub Reviewed Published May 7, 2024 in wojtekmaj/react-pdf • Updated May 8, 2024

Package

npm react-pdf (npm)

Affected versions

< 7.7.3
>= 8.0.0, < 8.0.2

Patched versions

7.7.3
8.0.2

Description

Summary

If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

This patch forces isEvalSupported to false, removing the attack vector.

Workarounds

Set options.isEvalSupported to false, where options is Document component prop.

References

References

@wojtekmaj wojtekmaj published to wojtekmaj/react-pdf May 7, 2024
Published by the National Vulnerability Database May 7, 2024
Published to the GitHub Advisory Database May 7, 2024
Reviewed May 7, 2024
Last updated May 8, 2024

Severity

High
7.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Weaknesses

CVE ID

CVE-2024-34342

GHSA ID

GHSA-87hq-q4gp-9wr4

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.