Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS04N2hxLXE0Z3AtOXdyNM4AA70i

react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js

Summary

If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

This patch forces isEvalSupported to false, removing the attack vector.

Workarounds

Set options.isEvalSupported to false, where options is Document component prop.

References

• GHSA-wgrm-67xf-hhpq
• https://github.com/mozilla/pdf.js/pull/18015
• https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
• https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Permalink: https://github.com/advisories/GHSA-87hq-q4gp-9wr4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04N2hxLXE0Z3AtOXdyNM4AA70i
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 12 days ago
Updated: 11 days ago

CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Identifiers: GHSA-87hq-q4gp-9wr4, CVE-2024-34342
References:

• https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
• https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4
• https://nvd.nist.gov/vuln/detail/CVE-2024-34342
• https://github.com/mozilla/pdf.js/pull/18015
• https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
• https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe
• https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad
• https://github.com/advisories/GHSA-87hq-q4gp-9wr4

Repository: https://github.com/mozilla/pdf.js
Blast Radius: 27.6

Affected Packages