GHSA-87hq-q4gp-9wr4

Suggest an improvement
Source
https://github.com/advisories/GHSA-87hq-q4gp-9wr4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-87hq-q4gp-9wr4/GHSA-87hq-q4gp-9wr4.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-87hq-q4gp-9wr4
Aliases
Published
2024-05-07T16:48:59Z
Modified
2024-10-08T07:29:01.883045Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
Summary
react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js
Details

Summary

If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

This patch forces isEvalSupported to false, removing the attack vector.

Workarounds

Set options.isEvalSupported to false, where options is Document component prop.

References

  • GHSA-wgrm-67xf-hhpq
  • https://github.com/mozilla/pdf.js/pull/18015
  • https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
References

Affected packages

npm / react-pdf

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.7.3

npm / react-pdf

Package

Affected ranges

Type
SEMVER
Events
Introduced
8.0.0
Fixed
8.0.2