Skip to content

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

High
wojtekmaj published GHSA-87hq-q4gp-9wr4 May 7, 2024

Package

npm react-pdf (npm)

Affected versions

<= 7.7.2
^8.0.0 <= 8.0.1

Patched versions

7.7.3
8.0.2

Description

Summary

If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

This patch forces isEvalSupported to false, removing the attack vector.

Workarounds

Set options.isEvalSupported to false, where options is Document component prop.

References

Severity

High
7.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

CVE ID

CVE-2024-34342

Weaknesses

No CWEs

Credits