The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8, Firefox < 60 and PDF.js < 2.0.550.

Affected Packages

npm pdfjs-dist

Affected versions: 2.0.0 (fixed in 2.0.550)

npm pdfjs-dist

Affected versions: 0 (fixed in 1.10.100)

Related CVEs

CVE-2018-5158

Key Information

GHSA ID

GHSA-7jg2-jgv3-fmr4

Published

May 14, 2022 1:22 AM

Last Modified

May 28, 2024 8:43 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

pdfjs-dist

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 17, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.