CVE-2024-4367

HIGH8.8EPSS 40.3%

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

Published: 5/7/2024Modified: 5/13/2026

Also known as:GHSA-wgrm-67xf-hhpqCGA-9prp-5j33-cxv9

Description

### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Affected packages (9)

Debian/firefox-esrfrom 0, < 115.11.0esr-1~deb11u1
Debian/firefox-esrfrom 0, < 115.11.0esr-1~deb11u1
Debian/firefox-esrfrom 0, < 115.11.0esr-1~deb10u1
Debian/odoofrom 0, < 14.0.0+dfsg.2-7+deb11u2
Debian/odoofrom 0, < 14.0.0+dfsg.2-7+deb11u2
Debian/thunderbirdfrom 0, < 1:115.11.0-1~deb10u1
Debian/thunderbirdfrom 0, < 1:115.11.0-1~deb11u1
Debian/thunderbirdfrom 0, < 1:115.11.0-1~deb11u1
npm/pdfjs-distfrom 0, < 4.2.67

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

Affected packages (9)

CVSS scores

References (18)