CVE-2024-4367 & CVE-2024-34342: JavaScript Flaws Threaten Millions of PDF.js and React-PDF Users
A significant security flaw has been identified in PDF.js, a widely-used, Mozilla-supported PDF viewer developed with HTML5, and React-PDF, a popular npm package for displaying PDFs within React applications. This vulnerability, which allows for the execution of arbitrary JavaScript code, has put millions of users at risk.
Overview of the Vulnerability
Designated as CVE-2024-4367 in PDF.js and CVE-2024-34342 in React-PDF, this flaw hinges on the improper handling of JavaScript within PDF files. When PDF.js or React-PDF loads a malicious PDF, and the isEvalSupported setting is enabled (true by default), it can lead to the execution of unrestricted JavaScript under the hosting domain’s context.
Security researcher Thomas Rinsma discovered the vulnerability, emphasizing the potential for attackers to exploit this to perform actions such as stealing cookies, session tokens, or even performing actions on behalf of the users.
Impact and Statistics
PDF.js is a cornerstone in web standards-based PDF rendering, boasting over 46,000 stars on GitHub and nearly 2 million downloads weekly from npm. React-PDF, similarly, has a substantial footprint with over 600,000 downloads per week, making the impact of this vulnerability particularly severe.
Affected and Patched Versions
- PDF.js: Versions up to 4.1.392 are affected. The issue has been patched in version 4.2.67, which removes the use of eval, a JavaScript function that can run code represented as a string (Patch #18015).
- React-PDF: This flaw affects versions up to 7.7.2 and from 8.0.0 to 8.0.1. Patched versions are 7.7.3 and 8.0.2.
Workarounds and Mitigations
Both vulnerabilities are mitigated by setting isEvalSupported to false. For PDF.js, this setting is configured globally, while in React-PDF, it must be specified within the options prop of the Document component. By disabling eval , users can protect themselves from the execution of malicious scripts through PDF files.
Broader Implications
The discovery of CVE-2024-4367 and CVE-2024-34342 raises significant concerns regarding the safety of embedding complex document rendering functionalities within web applications. The default settings that favor functionality over security, such as enabling isEvalSupported , highlight the ongoing tension between usability and cybersecurity.
