PT-2024-25799 · Mozilla+1 · Pdf.Js+1
Calixteman
+1
·
Published
2024-05-07
·
Updated
2026-01-20
·
CVE-2024-34342
CVSS v3.1
7.1
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
react-pdf versions prior to 7.7.3
react-pdf versions prior to 8.0.2
Description
The issue arises when PDF.js is used to load a malicious PDF, and PDF.js is configured with
isEvalSupported set to true, which is the default value. This configuration allows unrestricted attacker-controlled JavaScript to be executed in the context of the hosting domain.Recommendations
For versions prior to 7.7.3, update to version 7.7.3 or later.
For versions prior to 8.0.2, update to version 8.0.2 or later.
As a temporary workaround, consider setting the option
isEvalSupported to false to minimize the risk of exploitation.
Set options.isEvalSupported to false, where options is Document component prop.Exploit
Fix
Improper Check for Exceptional Conditions
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pdf.Js
React-Pdf