Arbitrary Code Injection Affecting pdfjs-dist package, versions <4.2.67


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-PDFJSDIST-6810403
  • published7 May 2024
  • disclosed7 May 2024
  • creditThomasRinsma

Introduced: 7 May 2024

CVE-2024-4367  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade pdfjs-dist to version 4.2.67 or higher.

Overview

pdfjs-dist is a Portable Document Format (PDF) library that is built with HTML5.

Affected versions of this package are vulnerable to Arbitrary Code Injection in font_loader.js, which passes input to the eval() function when the default isEvalSupported option is in use. An attacker can execute code by convincing a user to open a malicious PDF file.

Workaround

This vulnerability can be avoided by setting isEvalSupported to false.

CVSS Scores

version 3.1