CVE-2024-4367 vulnerability in pdf.js

Which product are you using?
PDF.js Express Viewer

PDF.js Express Version
8.7.4

Detailed description of issue
The latest version of pdfjs-express-viewer has critical vulnerability in PDF.js (PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF · CVE-2024-4367 · GitHub Advisory Database · GitHub) . Are there any plans to release a patch to address this? We are currently using pdfjs-express-viewer in production application and need this to be resolved asap.

Hello webdevops,

Thank you for raising this, we are aware of this vulnerability and have decided to disable the eval in PDF.js that is causing this issue according to the workaround in the CVE

In the meantime disabling embedded javascript will prevent this vulnerability, see this forum post on more information:

Best regards,
Tyler

awesome, thank you! We will use your suggestion to disable embedded js.
Is there an ETA for disabling the eval in pdfjs?

thanks again!

Hello webdevops,

We just pushed a new version disabling eval per the workaround suggested in the CVE

Best regards,
Tyler

1 Like