CVE-2024-4367

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

Description

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval: https://github.com/mozilla/pdf.js/pull/18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

8.8

Severity

High

Ecosystem

JavaScript

Publish Date

May 7, 2024

Modified Date

May 13, 2026

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Versions