Headline
GHSA-87hq-q4gp-9wr4: react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js
Summary
If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
Patches
This patch forces isEvalSupported to false, removing the attack vector.
Workarounds
Set options.isEvalSupported to false, where options is Document component prop.
References
- GHSA-wgrm-67xf-hhpq
- https://github.com/mozilla/pdf.js/pull/18015
- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
Package
npm react-pdf (npm)
Affected versions
< 7.7.3
>= 8.0.0, < 8.0.2
Patched versions
7.7.3
8.0.2
Description
Summary
If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
Patches
This patch forces isEvalSupported to false, removing the attack vector.
Workarounds
Set options.isEvalSupported to false, where options is Document component prop.
References
- GHSA-wgrm-67xf-hhpq
- mozilla/pdf.js#18015
- mozilla/pdf.js@85e64b5
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
References
- GHSA-wgrm-67xf-hhpq
- GHSA-87hq-q4gp-9wr4
- https://nvd.nist.gov/vuln/detail/CVE-2024-34342
- mozilla/pdf.js#18015
- mozilla/pdf.js@85e64b5
- wojtekmaj/react-pdf@208f28d
- wojtekmaj/react-pdf@671e6ea
wojtekmaj published to wojtekmaj/react-pdf
May 7, 2024
Published by the National Vulnerability Database
May 7, 2024
Published to the GitHub Advisory Database
May 7, 2024
Reviewed
May 7, 2024
Last updated
May 7, 2024