[NPM:GHSA-87HQ-Q4GP-9WR4] react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js

  1. Home
  2. Security Advisories
  3. NPM
  4. NPM:GHSA-87HQ-Q4GP-9WR4
Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

Summary

If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

This patch forces isEvalSupported to false, removing the attack vector.

Workarounds

Set options.isEvalSupported to false, where options is Document component prop.

References

Package Affected Version
pkg:npm/react-pdf >= 8.0.0, < 8.0.2
pkg:npm/react-pdf < 7.7.3
Package Fixed Version
pkg:npm/react-pdf = 8.0.2
pkg:npm/react-pdf = 7.7.3
ID
NPM:GHSA-87HQ-Q4GP-9WR4
Severity
high
URL
https://github.com/advisories/GHSA-87hq-q4gp-9wr4
Published
2024-05-07T16:48:59
(12 days ago)
Modified
2024-05-07T16:49:01
(12 days ago)
Rights
NPM Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:npm/react-pdf react-pdf >= 8.0.0 < 8.0.2
Fixed pkg:npm/react-pdf react-pdf = 8.0.2
Affected pkg:npm/react-pdf react-pdf < 7.7.3
Fixed pkg:npm/react-pdf react-pdf = 7.7.3
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date