CVE-2024-4367

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-4367
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-4367.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-4367
Aliases
Downstream
Related
Published
2024-05-14T18:15:12Z
Modified
2025-09-19T15:05:33.351469Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

References

Affected packages

Git / github.com/mozilla/pdf.js

Affected ranges

Type
GIT
Repo
https://github.com/mozilla/pdf.js
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
49b388101a53f1ff81390fab8336d02acf06a582

Affected versions

1.*

1.0.277

milestone-0.*

milestone-0.2

v0.*

v0.1.0
v0.3.459
v0.4.11
v0.5.5
v0.8.1181
v0.8.1334

v1.*

v1.0.1040
v1.0.1149
v1.0.2
v1.0.21
v1.0.277
v1.0.403
v1.0.473
v1.0.68
v1.0.712
v1.0.907
v1.1.1
v1.1.114
v1.1.215
v1.1.3
v1.1.366
v1.1.469
v1.10.88
v1.2.109
v1.3.88
v1.4.11
v1.4.20
v1.5.188
v1.6.210
v1.7.225
v1.8.170
v1.8.188
v1.9.426

v2.*

v2.0.943
v2.1.266
v2.10.377
v2.11.338
v2.12.313
v2.13.216
v2.14.305
v2.15.349
v2.16.105
v2.2.228
v2.3.200
v2.4.456
v2.5.207
v2.6.347
v2.7.570
v2.8.335
v2.9.359

v3.*

v3.0.279
v3.1.81
v3.10.111
v3.11.174
v3.2.146
v3.3.122
v3.4.120
v3.5.141
v3.6.172
v3.7.107
v3.8.162
v3.9.179

v4.*

v4.0.189
v4.0.269
v4.0.379
v4.1.392

Other

vundefined