View all vulnerabilities

CVE-2024-34342

react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js

### SummaryIf PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.### Patches[This patch](https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad) forces `isEvalSupported` to `false`, removing the attack vector.### WorkaroundsSet `options.isEvalSupported` to `false`, where `options` is `Document` component prop.### References- [GHSA-wgrm-67xf-hhpq](https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq)- https://github.com/mozilla/pdf.js/pull/18015- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
7.1
Score Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Affected Versions
react-pdf < 7.7.3; react-pdf >= 8.0.0 < 8.0.2
Severity
High
Ecosystem
JavaScript
Publish Date
May 7, 2024
Modified Date
January 14, 2025