[NPM:GHSA-WGRM-67XF-HHPQ] PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval:
https://github.com/mozilla/pdf.js/pull/18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Package	Affected Version
pkg:npm/pdfjs-dist	<= 4.1.392

Package	Fixed Version
pkg:npm/pdfjs-dist	= 4.2.67

ID

NPM:GHSA-WGRM-67XF-HHPQ

Severity

high

URL

https://github.com/advisories/GHSA-wgrm-67xf-hhpq

Published

2024-05-07T10:25:08
(2 months ago)

Modified

2024-05-07T10:26:15
(2 months ago)

Rights

NPM Security Team

Other Advisories

Source	# ID	Name	URL
			https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
			https://github.com/mozilla/pdf.js/pull/18015
			https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
			https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
			https://github.com/advisories/GHSA-wgrm-67xf-hhpq

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:npm/pdfjs-dist		pdfjs-dist	<= 4.1.392
Fixed	pkg:npm/pdfjs-dist		pdfjs-dist	= 4.2.67

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date