Calixteman

**Name of the Vulnerable Software and Affected Versions** react-pdf versions prior to 7.7.3 react-pdf versions prior to 8.0.2 **Description** The issue arises when PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true`, which is the default value. This configuration allows unrestricted attacker-controlled JavaScript to be executed in the context of the hosting domain. **Recommendations** For versions prior to 7.7.3, update to version 7.7.3 or later. For versions prior to 8.0.2, update to version 8.0.2 or later. As a temporary workaround, consider setting the option `isEvalSupported` to `false` to minimize the risk of exploitation. Set `options.isEvalSupported` to `false`, where `options` is `Document` component prop.