PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
- Severity:
- High
Description
If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
Recommendation
Update the pdfjs-dist package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.1.392
- Patched version(s): 4.2.67
References
- GHSA-wgrm-67xf-hhpq
- bugzilla.mozilla.org
- lists.debian.org
- www.mozilla.org
- seclists.org
- codeanlabs.com
- www.exploit-db.com
- CVE-2024-4367
- CWE-754
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Mermaid does not properly sanitize architecture diagram iconText leading to XSS - CVE-2025-54880
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 5 - CVE-2025-27597
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 4 - CVE-2025-27597
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 3 - CVE-2025-27597
- Tags:
- npm
- pdfjs-dist
Anything's wrong? Let us know Last updated on April 24, 2025