See on npm

pdfjs-dist 4.0.189

1 security vulnerability found in version 4.0.189

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

high severity CVE-2024-4367
high severity CVE-2024-4367
Affected versions: <= 4.1.392

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval: https://github.com/mozilla/pdf.js/pull/18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

No license issues detected.

This package version has a license in the source code.

This package version is available.

This package version has not been yanked and is still available for usage.