Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-wgrm-67xf-hhpq

GitHub Security Advisory

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

### Patches
The patch removes the use of `eval`:
https://github.com/mozilla/pdf.js/pull/18015

### Workarounds
Set the option `isEvalSupported` to `false`.

### References
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Affected Packages

npm pdfjs-dist
Affected versions: 0 (fixed in 4.2.67)

Related CVEs

CVE-2024-4367

Key Information

GHSA ID
GHSA-wgrm-67xf-hhpq
Published
May 7, 2024 10:25 AM
Last Modified
April 24, 2025 9:41 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
pdfjs-dist
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 20, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.