PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
- Severity:
- High
Description
If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
Recommendation
Update the pdfjs-dist package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.1.392
- Patched version(s): 4.2.67
References
- GHSA-wgrm-67xf-hhpq
- bugzilla.mozilla.org
- lists.debian.org
- www.mozilla.org
- seclists.org
- codeanlabs.com
- www.exploit-db.com
- CVE-2024-4367
- CWE-754
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - CVE-2023-45133
- Svelecte item names vulnerable to execution of arbitrary JavaScript - CVE-2023-38687
- Malicious PDF can inject JavaScript into PDF Viewer - CVE-2018-5158
- webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle - CVE-2024-43373
- Tags:
- npm
- pdfjs-dist
Anything's wrong? Let us know Last updated on April 24, 2025