Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00bTNnLTZyN2ctanY0Zs4AA8t0

Arbitrary JavaScript execution due to using outdated libraries

Summary

gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution.

PoC

  1. Generate a pdf file with a malicious script in the fontmatrix. (This will run alert(‘XSS’).)
    poc.pdf

  2. Run the app. In this PoC, I've used the demo for a simple proof.
    1

  3. Upload a PDF file containing the script.
    2

  4. Check that the script is running.
    3

Impact

Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.

Mitigation

Upgrade the pdf.js to v4.2.67, which removes the vulnerability. (or set the option isEvalSupported to false.)

Reference

  1. https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
  2. https://github.com/mozilla/pdf.js/pull/18015
Permalink: https://github.com/advisories/GHSA-4m3g-6r7g-jv4f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00bTNnLTZyN2ctanY0Zs4AA8t0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 4 months ago
Updated: 4 months ago


CVSS Score: 3.6
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Identifiers: GHSA-4m3g-6r7g-jv4f
References: Repository: https://github.com/freddyaboulton/gradio-pdf
Blast Radius: 0.0

Affected Packages

pypi:gradio_pdf
Dependent packages: 2
Dependent repositories: 1
Downloads: 5,121 last month
Affected Version Ranges: < 0.0.10
Fixed in: 0.0.10
All affected versions:
All unaffected versions: