CVE-2024-34342

react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js

Description

Summary

If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

This patch forces isEvalSupported to false, removing the attack vector.

Workarounds

Set options.isEvalSupported to false, where options is Document component prop.

References

GHSA-wgrm-67xf-hhpq
https://github.com/mozilla/pdf.js/pull/18015
https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

7.1

Severity

High

Ecosystem

JavaScript

Publish Date

May 7, 2024

Modified Date

February 3, 2026

Score Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Affected Versions