Описание
react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js
Summary
If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
Patches
This patch forces isEvalSupported to false, removing the attack vector.
Workarounds
Set options.isEvalSupported to false, where options is Document component prop.
References
Ссылки
- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
- https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4
- https://nvd.nist.gov/vuln/detail/CVE-2024-34342
- https://github.com/mozilla/pdf.js/pull/18015
- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
- https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe
- https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad
Пакеты
react-pdf
< 7.7.3
7.7.3
react-pdf
>= 8.0.0, < 8.0.2
8.0.2
Связанные уязвимости
react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2.