View all vulnerabilities

CVE-2024-34342

react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js

Description

### Summary


If PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

### Patches
[This patch](https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad) forces `isEvalSupported` to `false`, removing the attack vector.

### Workarounds
Set `options.isEvalSupported` to `false`, where `options` is `Document` component prop.

### References
- [GHSA-wgrm-67xf-hhpq](https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq)
- https://github.com/mozilla/pdf.js/pull/18015
- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
7.1
Score Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Affected Versions
react-pdf < 7.7.3; react-pdf >= 8.0.0 < 8.0.2
Severity
High
High
High
Ecosystem
JavaScript
Publish Date
May 7, 2024
Modified Date
January 14, 2025