pdfjs-dist 2.2.228
1 security vulnerability
found in version
2.2.228
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
high severity CVE-2024-4367
high severity
CVE-2024-4367
Affected versions:
<= 4.1.392
Impact
If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported
set to true
(which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
Patches
The patch removes the use of eval
:
https://github.com/mozilla/pdf.js/pull/18015
Workarounds
Set the option isEvalSupported
to false
.
References
Author did not declare license for this package in the source code.
This package version has a Apache-2.0 license in the source code, however it was not declared in the source code.
This package version is available.
This package version has not been yanked and is still available for usage.