CVE-2024-34342 HIGH

CVE-2024-34342: react-pdf's PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

Vendor Wojtekmaj

Product react-pdf

Weakness CWE-79 · XSS

Published May 7, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

Description

react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2.

Key dates

Disclosure timeline

May 7, 2024 CVE published

August 2, 2024 Record updated

Identifiers

CVE CVE-2024-34342

CWE CWE-79

CVSS 7.1 / HIGH

Affected versions

Vendor Wojtekmaj

Product react-pdf

Affected < 7.7.3

Vendor Wojtekmaj

Product react-pdf

Affected >= 8.0.0, < 8.0.2